Merge pull request #266001 from austinmccollum/austinmc-ccp2-updates

update CCPv2 with corrections

Author: prmerger-automator[bot]

articles/sentinel/create-codeless-connector.md

@@ -127,10 +127,91 @@ To learn from an example, see the [Data connector connection rules reference exa
 
 Use Postman to call the data connector API to create the data connector which combines the connection rules and previous components. Verify the connector is now connected in the UI.
 
+## Secure confidential input
+
+Whatever authentication is used by your CCP data connector, take these steps to ensure confidential information is kept secure. The goal is to pass along credentials from the ARM template to the CCP without leaving readable confidential objects in your deployments history.
+
+### Create label
+
+The data connector definition creates a UI element to prompt for security credentials. For example, if your data connector authenticates to a log source with OAuth, your data connector definition section includes the `OAuthForm` type in the instructions. This sets up the ARM template to prompt for the credentials.  
+
+```json
+"instructions": [
+    {
+        "type": "OAuthForm",
+        "parameters": {
+        "UsernameLabel": "Username",
+        "PasswordLabel": "Password",
+        "connectButtonLabel": "Connect",
+        "disconnectButtonLabel": "Disconnect"
+        }
+    }
+],
+```
+
+### Store confidential input
+
+A section of the ARM deployment template provides a place for the administrator deploying the data connector to enter the password. Use `securestring` to keep the confidential information secured in an object that isn't readable after deployment. For more information, see [Security recommendations for parameters](../azure-resource-manager/templates/best-practices.md#security-recommendations-for-parameters).
+
+```json
+"mainTemplate": {
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "[variables('dataConnectorCCPVersion')]",
+    "parameters": {
+        "Username": {
+            "type": "securestring",
+            "minLength": 1,
+            "metadata": {
+                "description": "Enter the username to connect to your data source."
+        },
+        "Password": {
+            "type": "securestring",
+            "minLength": 1,
+            "metadata": {
+                "description": "Enter the API key, client secret or password required to connect."
+            }
+        },
+    // more deployment template information
+    }
+}
+```
+
+### Use the securestring objects
+
+Finally, the CCP utilizes the credential objects in the data connector section. 
+
+```json
+"auth": {
+    "type": "OAuth2",
+    "ClientSecret": "[[parameters('Password')]",
+    "ClientId": "[[parameters('Username')]",
+    "GrantType": "client_credentials",
+    "TokenEndpoint": "https://api.contoso.com/oauth/token",
+    "TokenEndpointHeaders": {
+        "Content-Type": "application/x-www-form-urlencoded"
+    },
+    "TokenEndpointQueryParameters": {
+        "grant_type": "client_credentials"
+    }
+},
+```
+
+>[!Note]
+> The strange syntax for the credential object, `"ClientSecret": "[[parameters('Password')]",` isn't a typo! 
+> In order to create the deployment template which also uses parameters, you need to escape the parameters in that section with an extra starting`[`. This allows the parameters to assign a value based on the user interaction with the connector.
+>
+> For more information, see [Template expressions escape characters](../azure-resource-manager/templates/template-expressions.md#escape-characters).
+  
+
 ## Create the deployment template
 
 Manually package an Azure Resource Management (ARM) template using the [example template](#example-arm-template) as your guide.
 
+In addition to the example template, published solutions available in the Microsoft Sentinel content hub use the CCP for their data connector. Review the following solutions as more examples of how to stitch the components together into an ARM template.
+
+- [Ermes Browser Security](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ermes%20Browser%20Security/Package/mainTemplate.json)
+- [Palo Alto Prisma Cloud CWPP](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ermes%20Browser%20Security/Package/mainTemplate.json)
+
 ## Deploy the connector
 
 Deploy your codeless connector as a custom template. 
@@ -363,7 +444,12 @@ Consider using the ARM template test toolkit (arm-ttk) to validate the template
 
 #### Example ARM template - parameters
 
-For more information, see [Parameters in ARM templates](../azure-resource-manager/templates/parameters.md) and [Security recommendations for parameters](../azure-resource-manager/templates/best-practices.md#security-recommendations-for-parameters).
+For more information, see [Parameters in ARM templates](../azure-resource-manager/templates/parameters.md).
+
+>[!Warning]
+> Use `securestring` for all passwords and secrets in objects readable after resource deployment.
+> For more information, see [Secure confidential input](#secure-confidential-input) and [Security recommendations for parameters](../azure-resource-manager/templates/best-practices.md#security-recommendations-for-parameters).
+
 
 ```json
 {
@@ -644,7 +730,7 @@ There are 5 ARM deployment resources in this template guide which house the 4 CC
                         //    "minLength": 1
                         //},
                         //"apikey": {
-                        //    "defaultValue": "API Key",
+                        //    "defaultValue": "",
                         //    "type": "securestring",
                         //    "minLength": 1
                         //}

articles/sentinel/data-connector-connection-rules-reference.md

@@ -30,12 +30,12 @@ Reference the [Create or Update](/rest/api/securityinsights/data-connectors/crea
 
 **PUT** method
 ```http
-https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.OperationalInsights/workspaces/{{workspaceName}}/providers/Microsoft.SecurityInsights/dataConnectors/{{dataConnectorId}}?api-version=
+https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.OperationalInsights/workspaces/{{workspaceName}}/providers/Microsoft.SecurityInsights/dataConnectors/{{dataConnectorId}}?api-version={{apiVersion}}
 ```
 
 ## URI parameters
 
-For more information, see [Data Connectors - Create or Update URI Parameters](/rest/api/securityinsights/data-connectors/create-or-update#uri-parameters)
+For more information about the latest API version, see [Data Connectors - Create or Update URI Parameters](/rest/api/securityinsights/data-connectors/create-or-update#uri-parameters).
 
 |Name  | Description  |
 |---------|---------|
@@ -54,7 +54,6 @@ The request body for the CCP data connector has the following structure:
    "name": "{{dataConnectorId}}",
    "kind": "RestApiPoller",
    "etag": "",
-   "DataType": ""
    "properties": {
         "connectorDefinitionName": "",
         "auth": {},
@@ -91,14 +90,11 @@ The CCP supports the following authentication types:
 > [!NOTE]
 > CCP OAuth2 implementation does not support certificate credentials.
 
-As a best practice, use parameters in the auth section instead of hard-coding credentials.
-- For more information, see [Best practice recommendations for parameters](../azure-resource-manager/templates/best-practices.md#security-recommendations-for-parameters).
+As a best practice, use parameters in the auth section instead of hard-coding credentials. For more information, see [Secure confidential input](create-codeless-connector.md#secure-confidential-input).
 
-In order to create the deployment template which also uses parameters, you need to escape the parameters in this section with an extra starting `[`. This allows the parameters to assign a value based on the user interaction with the connector. 
-- For more information, see [Template expressions escape characters](../azure-resource-manager/templates/template-expressions.md#escape-characters).
+In order to create the deployment template which also uses parameters, you need to escape the parameters in this section with an extra starting `[`. This allows the parameters to assign a value based on the user interaction with the connector. For more information, see [Template expressions escape characters](../azure-resource-manager/templates/template-expressions.md#escape-characters).
 
-To enable the credentials to be entered from the UI, the `connectorUIConfig` section requires `instructions` with the desired parameters.
-- For more information, see [Data connector definitions reference for the Codeless Connector Platform](data-connector-ui-definitions-reference.md#instructions).
+To enable the credentials to be entered from the UI, the `connectorUIConfig` section requires `instructions` with the desired parameters. For more information, see [Data connector definitions reference for the Codeless Connector Platform](data-connector-ui-definitions-reference.md#instructions).
 
 #### Basic auth
 
@@ -120,7 +116,7 @@ Example Basic auth using parameters defined in `connectorUIconfig`:
 
 | Field | Required | Type | Description | Default value |
 | ---- | ---- | ---- | ---- | ---- |
-| **ApiKey** | Mandatory | string | user secret key | |
+| **ApiKey** | True | string | user secret key | |
 | **ApiKeyName** | | string | name of the Uri header containing the ApiKey value | `Authorization` |
 | **ApiKeyIdentifier** | | string | string value to prepend the token | `token` |
 | **IsApiKeyInPostPayload** | | boolean | send secret in POST body instead of header | `false` |
@@ -162,9 +158,9 @@ After the user returns to the client via the redirect URL, the application will
 | ---- | ---- | ---- | ---- | 
 | **ClientId** | True	| String | The client id |
 | **ClientSecret**	| True | String | The client secret |
-| **AuthorizationCode** | Mandatory when grantType = `authorization_code` |	String | If grant type is `authorization_code` this field value will be the authorization code returned from the auth serve. |
+| **AuthorizationCode** | True when grantType = `authorization_code` |	String | If grant type is `authorization_code` this field value will be the authorization code returned from the auth serve. |
 | **Scope** | True for `authorization_code` grant type<br> optional for `client_credentials` grant type| String | A space-separated list of scopes for user consent. For more information, see [OAuth2 scopes and permissions](/entra/identity-platform/scopes-oidc). |
-| **RedirectUri** | Mandatory when grantType = `authorization_code` | String | URL for redirect, must be `https://portal.azure.com/TokenAuthorize` |
+| **RedirectUri** | True when grantType = `authorization_code` | String | URL for redirect, must be `https://portal.azure.com/TokenAuthorize` |
 | **GrantType** | True | String | `authorization_code` or `client_credentials` |
 | **TokenEndpoint** | True | String | URL to exchange code with valid token in `authorization_code` grant or client id and secret with valid token in `client_credentials` grant. |
 | **TokenEndpointHeaders** |  | Object | An optional key value object to send custom headers to token server |
@@ -189,7 +185,7 @@ OAuth2 auth code grant
     "authorizationEndpointQueryParameters": {
         "prompt": "consent"
     },
-    "redirectionUri": "https://portal.azure.com/TokenAuthorize",
+    "redirectUri": "https://portal.azure.com/TokenAuthorize",
     "tokenEndpointHeaders": {
         "Accept": "application/json",
         "Content-Type": "application/x-www-form-urlencoded"
@@ -436,7 +432,7 @@ Paging: {
 
 ```json
 Paging: {
- "pagingType" = "PersistentLinkHeader", 
+ "pagingType" : "PersistentLinkHeader", 
  "pageSizeParameterName" : "limit", 
  "pageSize" : 500 
 }