Skip to content

Commit efe7896

Browse files
v-atulyadavv-atulyadav
authored
Merge pull request Azure#13007 from teebu/onetrust-connector-submission
Onetrust connector submission
2 parents fb6f077 + d8a0f0b commit efe7896

File tree

12 files changed

+1878
-0
lines changed

12 files changed

+1878
-0
lines changed

Logos/onetrust.svg

Lines changed: 10 additions & 0 deletions
Loading

Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/OneTrustLogs_DCR.json

Lines changed: 235 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,235 @@
1+
{
2+
"name": "OneTrustMetadataDCR",
3+
"apiVersion": "22023-03-11",
4+
"type": "Microsoft.Insights/dataCollectionRules",
5+
"location": "[parameters('workspace-location')]",
6+
"properties": {
7+
"streamDeclarations": {
8+
"Custom-OneTrustMetadataV3": {
9+
"columns": [
10+
{
11+
"name": "IngestionTime",
12+
"type": "datetime"
13+
},
14+
{
15+
"name": "TimeGenerated",
16+
"type": "datetime"
17+
},
18+
{
19+
"name": "AssetID",
20+
"type": "string"
21+
},
22+
{
23+
"name": "CreatedDateTime",
24+
"type": "datetime"
25+
},
26+
{
27+
"name": "AssetOwner",
28+
"type": "dynamic"
29+
},
30+
{
31+
"name": "AssetName",
32+
"type": "string"
33+
},
34+
{
35+
"name": "AssetType",
36+
"type": "string"
37+
},
38+
{
39+
"name": "AssetPermissions",
40+
"type": "dynamic"
41+
},
42+
{
43+
"name": "AdditionalFields",
44+
"type": "dynamic"
45+
},
46+
{
47+
"name": "Provider",
48+
"type": "string"
49+
},
50+
{
51+
"name": "AssetSource",
52+
"type": "string"
53+
},
54+
{
55+
"name": "Workload",
56+
"type": "string"
57+
},
58+
{
59+
"name": "SubWorkload",
60+
"type": "string"
61+
},
62+
{
63+
"name": "Location",
64+
"type": "string"
65+
},
66+
{
67+
"name": "Region",
68+
"type": "string"
69+
},
70+
{
71+
"name": "Classification",
72+
"type": "string"
73+
},
74+
{
75+
"name": "ClassificationLastScanDateTime",
76+
"type": "datetime"
77+
},
78+
{
79+
"name": "IsProtectedByDlp",
80+
"type": "boolean"
81+
},
82+
{
83+
"name": "Risks",
84+
"type": "string"
85+
},
86+
{
87+
"name": "IdentityDirectorySource",
88+
"type": "string"
89+
},
90+
{
91+
"name": "LastAccessDateTime",
92+
"type": "datetime"
93+
},
94+
{
95+
"name": "LastModifiedDateTime",
96+
"type": "datetime"
97+
},
98+
{
99+
"name": "SensitivityLabel",
100+
"type": "string"
101+
},
102+
{
103+
"name": "ThreatDetected",
104+
"type": "boolean"
105+
},
106+
{
107+
"name": "ThreatCategory",
108+
"type": "dynamic"
109+
},
110+
{
111+
"name": "ThreatName",
112+
"type": "dynamic"
113+
},
114+
{
115+
"name": "RelatedIndicators",
116+
"type": "string"
117+
},
118+
{
119+
"name": "RequestSourceIP",
120+
"type": "string"
121+
},
122+
{
123+
"name": "RequestDestinationIP",
124+
"type": "string"
125+
},
126+
{
127+
"name": "AssetPath",
128+
"type": "string"
129+
},
130+
{
131+
"name": "InternalUserWithPermissionCount",
132+
"type": "int"
133+
},
134+
{
135+
"name": "ExternalUserWithPermissionCount",
136+
"type": "int"
137+
},
138+
{
139+
"name": "DeviceName",
140+
"type": "string"
141+
},
142+
{
143+
"name": "UserName",
144+
"type": "string"
145+
},
146+
{
147+
"name": "AssetSize",
148+
"type": "string"
149+
},
150+
{
151+
"name": "MD5",
152+
"type": "string"
153+
},
154+
{
155+
"name": "SHA1",
156+
"type": "string"
157+
},
158+
{
159+
"name": "SHA256",
160+
"type": "string"
161+
},
162+
{
163+
"name": "Extension",
164+
"type": "string"
165+
},
166+
{
167+
"name": "SignatureStatus",
168+
"type": "string"
169+
},
170+
{
171+
"name": "DomainName",
172+
"type": "string"
173+
},
174+
{
175+
"name": "Subdomain",
176+
"type": "string"
177+
},
178+
{
179+
"name": "TopLevelDomain",
180+
"type": "string"
181+
},
182+
{
183+
"name": "IPAddress",
184+
"type": "string"
185+
},
186+
{
187+
"name": "URL",
188+
"type": "string"
189+
},
190+
{
191+
"name": "ISP",
192+
"type": "string"
193+
},
194+
{
195+
"name": "ASN",
196+
"type": "string"
197+
},
198+
{
199+
"name": "AADTenantID",
200+
"type": "string"
201+
},
202+
{
203+
"name": "IsAssetRemoved",
204+
"type": "boolean"
205+
},
206+
{
207+
"name": "FeedType",
208+
"type": "string"
209+
}
210+
]
211+
}
212+
},
213+
"destinations": {
214+
"logAnalytics": [
215+
{
216+
"workspaceResourceId": "[variables('workspaceResourceId')]",
217+
"name": "clv2ws1"
218+
}
219+
]
220+
},
221+
"dataFlows": [
222+
{
223+
"streams": [
224+
"Custom-OneTrustMetadataV3"
225+
],
226+
"destinations": [
227+
"clv2ws1"
228+
],
229+
"transformKql": "source | extend IngestionTime = now(), Provider = \"OneTrust\"",
230+
"outputStream": "Custom-OneTrustMetadataV3_CL"
231+
}
232+
],
233+
"dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
234+
}
235+
}

Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/OneTrustLogs_connectorDefinition.json

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
{
2+
"name": "OnetrustPush",
3+
"apiVersion": "2022-09-01-preview",
4+
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
5+
"location": "[parameters('workspace-location')]",
6+
"kind": "Customizable",
7+
"properties": {
8+
"connectorUiConfig": {
9+
"id": "OnetrustPush",
10+
"title": "OneTrust",
11+
"publisher": "OneTrust",
12+
"descriptionMarkdown": "The OneTrust connector for Microsoft Sentinel provides the capability to have near real time visibility into where sensitive data has been located or remediated across across Google Cloud and other OneTrust supported data sources.",
13+
"graphQueries": [
14+
{
15+
"metricName": "OneTrust Metadata Logs",
16+
"legend": "OneTrustMetadataV3_CL",
17+
"baseQuery": "OneTrustMetadataV3_CL"
18+
}
19+
],
20+
"sampleQueries": [
21+
{
22+
"description": "OneTrust Logs - All Logs",
23+
"query": "OneTrustMetadataV3_CL\n | sort by TimeGenerated desc"
24+
}
25+
],
26+
"dataTypes": [
27+
{
28+
"name": "OneTrustMetadataV3_CL",
29+
"lastDataReceivedQuery": "OneTrustMetadataV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
30+
}
31+
],
32+
"connectivityCriteria": [
33+
{
34+
"type": "IsConnectedQuery",
35+
"value": [
36+
"OneTrustMetadataV3_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
37+
]
38+
}
39+
],
40+
"availability": {
41+
"status": 1
42+
},
43+
"permissions": {
44+
"resourceProvider": [
45+
{
46+
"provider": "Microsoft.OperationalInsights/workspaces",
47+
"permissionsDisplayText": "read and write permissions are required.",
48+
"providerDisplayName": "Workspace",
49+
"scope": "Workspace",
50+
"requiredPermissions": {
51+
"write": true,
52+
"read": true,
53+
"delete": true
54+
}
55+
}
56+
],
57+
"customs": [
58+
{
59+
"name": "Microsoft Entra",
60+
"description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
61+
},
62+
{
63+
"name": "Microsoft Azure",
64+
"description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role"
65+
}
66+
]
67+
},
68+
"instructionSteps": [
69+
{
70+
"title": "1. Create ARM Resources and Provide the Required Permissions",
71+
"description": "This connector reads data from the tables that OneTrust uses in a Microsoft Analytics Workspace. If OneTrust's data forwarding option is enabled then raw event data can be sent to the Microsoft Sentinel Ingestion API.",
72+
"instructions": [
73+
{
74+
"type": "Markdown",
75+
"parameters": {
76+
"content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
77+
}
78+
},
79+
{
80+
"parameters": {
81+
"label": "Deploy OneTrust connector resources",
82+
"applicationDisplayName": "OneTrust Connector Application"
83+
},
84+
"type": "DeployPushConnectorButton"
85+
}
86+
]
87+
},
88+
{
89+
"title": "2. Push your logs into the workspace",
90+
"description": "Use the following parameters to configure the your machine to send the logs to the workspace.",
91+
"instructions": [
92+
{
93+
"parameters": {
94+
"label": "Tenant ID (Directory ID)",
95+
"fillWith": ["TenantId"]
96+
},
97+
"type": "CopyableLabel"
98+
},
99+
{
100+
"parameters": {
101+
"label": "Entra App Registration Application ID",
102+
"fillWith": ["ApplicationId"],
103+
"placeholder": "Deploy push connector to get the App Registration Application ID"
104+
},
105+
"type": "CopyableLabel"
106+
},
107+
{
108+
"parameters": {
109+
"label": "Entra App Registration Secret",
110+
"fillWith": ["ApplicationSecret"],
111+
"placeholder": "Deploy push connector to get the App Registration Secret"
112+
},
113+
"type": "CopyableLabel"
114+
},
115+
{
116+
"parameters": {
117+
"label": "Data Collection Endpoint Uri",
118+
"fillWith": ["DataCollectionEndpoint"],
119+
"placeholder": "Deploy push connector to get the Data Collection Endpoint Uri"
120+
},
121+
"type": "CopyableLabel"
122+
},
123+
{
124+
"parameters": {
125+
"label": "Data Collection Rule Immutable ID",
126+
"fillWith": ["DataCollectionRuleId"],
127+
"placeholder": "Deploy push connector to get the Data Collection Rule Immutable ID"
128+
},
129+
"type": "CopyableLabel"
130+
},
131+
{
132+
"parameters": {
133+
"label": "OneTrust Metadata Stream Name",
134+
"value": "Custom-OneTrustMetadataV3"
135+
},
136+
"type": "CopyableLabel"
137+
}
138+
]
139+
}
140+
]
141+
}
142+
}
143+
}

0 commit comments

Comments
 (0)