Merge pull request #287237 from austinmccollum/main

updating CCP docs

Author: PMEds28

articles/sentinel/TOC.yml

@@ -1117,8 +1117,10 @@
       href: dns-ama-fields.md
     - name: Data connector definitions API reference
       href: data-connector-ui-definitions-reference.md
-    - name: Data connectors API reference
+    - name: RestApiPoller data connectors API reference
       href: data-connector-connection-rules-reference.md
+    - name: GCP data connectors API reference
+      href: data-connection-rules-reference-gcp.md
     - name: Sample API requests for creating Data Collection Rules (DCRs)
       href: api-dcr-reference.md
     - name: Microsoft Purview Information Protection reference

articles/sentinel/create-codeless-connector.md

@@ -4,7 +4,7 @@ description: Learn how to create a codeless connector in Microsoft Sentinel usin
 author: austinmccollum
 ms.author: austinmc
 ms.topic: how-to
-ms.date: 06/26/2024
+ms.date: 09/26/2024
 ---
 # Create a codeless connector for Microsoft Sentinel
 
@@ -71,7 +71,7 @@ We recommend testing your components with an API testing tool like one of the fo
 
 ## Build the data connector
 
-There are 4 components required to build the CCP data connector.
+There are four components required to build the CCP data connector.
 
 1. [Output table definition](#output-table-definition)
 1. [Data Collection Rule (DCR)](#data-collection-rule)
@@ -119,22 +119,18 @@ Build the data connector user interface with the [**Data Connector Definition**
 Notes: 
 1)	The `kind` property for API polling connector should always be `Customizable`.
 2)	Since this is a type of API polling connector, set the `connectivityCriteria` type to `hasDataConnectors`
-3)	The example `instructionsSteps` include a button of type `ConnectionToggleButton`. This button helps trigger the deployment of data connector rules based on the connection parameters specified.
+3)	The example `instructionSteps` include a button of type `ConnectionToggleButton`. This button helps trigger the deployment of data connector rules based on the connection parameters specified.
 
 Use an [API testing tool](#testing-apis) to call the data connector definitions API to create the data connector UI in order to validate it in the data connectors gallery.
 
 To learn from an example, see the [Data connector definitions reference example section](data-connector-ui-definitions-reference.md#example-data-connector-definition).
 
 ### Data connection rules
 
-This portion defines the connection rules including:
-- polling
-- authentication
-- paging
+There are currently two kinds of data connection rules possible for defining your CCP data connector.
 
-For more information on building this section, see the [Data connector connection rules reference](data-connector-connection-rules-reference.md).
-
-To learn from an example, see the [Data connector connection rules reference example](data-connector-connection-rules-reference.md#example-ccp-data-connector).
+- `RestApiPoller` kind allows you to customize paging, authorization and expected request/response payloads for your data source. For more information, see [RestApiPoller data connector connection rules reference](data-connector-connection-rules-reference.md).
+- `GCP` kind allows you to decrease your development time by automatically configuring paging and expected response payloads for your Google Cloud Platform (GCP) data source. For more information, see [GCP data connector connection rules reference](data-connection-rules-reference-gcp.md)
 
 Use an [API testing tool](#testing-apis) to call the data connector API to create the data connector which combines the connection rules and previous components. Verify the connector is now connected in the UI.
 
@@ -216,17 +212,24 @@ Finally, the CCP utilizes the credential objects in the data connector section.
 
 ## Create the deployment template
 
-Manually package an Azure Resource Management (ARM) template using the [example template code samples](#example-arm-template) as your guide. These code samples are divided by ARM template sections for you to splice together.
+Manually package an Azure Resource Management (ARM) template using the [example template code samples](#example-arm-template) as your guide. These code samples are divided by ARM template sections which you must splice together.
+
+If you're creating a Google Cloud Platform (GCP) CCP data connector, package the deployment template using the [example GCP CCP template](https://github.com/austinmccollum/Azure-Sentinel/blob/patch-5/DataConnectors/Templates/Connector_GCP_CCP_template.json). For information on how to fill out the GCP CCP template, see [GCP data connector connection rules reference](data-connection-rules-reference-gcp.md).
 
-In addition to the example template, published solutions available in the Microsoft Sentinel content hub use the CCP for their data connector. Review the following solutions as more examples of how to stitch the components together into an ARM template.
+In addition to the example templates, published solutions available in the Microsoft Sentinel content hub use the CCP for their data connectors. Review the following solutions as more examples of how to stitch the components together into an ARM template.
 
+**`RestApiPoller`** CCP data connector examples
 - [Ermes Browser Security](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ermes%20Browser%20Security/Data%20Connectors/ErmesBrowserSecurityEvents_ccp)
 - [Palo Alto Prisma Cloud CWPP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/PaloAltoPrismaCloudCWPP_ccp)
 - [Sophos Endpoint Protection](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sophos%20Endpoint%20Protection/Data%20Connectors/SophosEP_ccp)
 - [Workday](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Workday/Data%20Connectors/Workday_ccp)
 - [Atlassian Jira](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AtlassianJiraAudit/Data%20Connectors/JiraAuditAPISentinelConnector_ccpv2)
 - [Okta Single Sign-On](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Okta%20Single%20Sign-On/Data%20Connectors/OktaNativePollerConnectorV2)
 
+**`GCP`** CCP data connector examples
+- [GCP audit logs](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/Package/mainTemplate.json)
+- [GCP security command center](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20Security%20Command%20Center/Package/mainTemplate.json)
+
 ## Deploy the connector
 
 Deploy your codeless connector as a custom template. 
@@ -901,7 +904,7 @@ There are 5 ARM deployment resources in this template guide which house the 4 CC
 }
 ```
 
-## Next steps
+## Related content
 
 For more information, see 
 - [About Microsoft Sentinel solutions](sentinel-solutions.md).

articles/sentinel/create-custom-connector.md

@@ -1,15 +1,15 @@
 ---
-title: Resources for creating Microsoft Sentinel custom connectors | Microsoft Docs
+title: Resources for creating Microsoft Sentinel custom connectors
 description: Learn about available resources for creating custom connectors for Microsoft Sentinel. Methods include the Log Analytics agent and API, Logstash, Logic Apps, PowerShell, and Azure Functions.
-author: limwainstein
+author: austinmccollum
 ms.topic: conceptual
-ms.date: 01/09/2023
-ms.author: lwainstein
+ms.date: 09/26/2024
+ms.author: austinmc
 ---
 
 # Resources for creating Microsoft Sentinel custom connectors
 
-Microsoft Sentinel provides a wide range of [built-in connectors for Azure services and external solutions](connect-data-sources.md), and also supports ingesting data from some sources without a dedicated connector.
+Microsoft Sentinel provides a wide range of [out-of-the-box connectors for Azure services and external solutions](connect-data-sources.md), and also supports ingesting data from some sources without a dedicated connector.
 
 If you're unable to connect your data source to Microsoft Sentinel using any of the existing solutions available, consider creating your own data source connector.
 

articles/sentinel/data-connection-rules-reference-gcp.md

@@ -0,0 +1,150 @@
+---
+title: GCP data connector reference for the Codeless Connector Platform
+titleSuffix: Microsoft Sentinel
+description: This article provides reference JSON fields and properties for creating the GCP data connector type and its data connection rules as part of the Codeless Connector Platform.
+services: sentinel
+author: austinmccollum
+ms.topic: reference
+ms.date: 9/30/2024
+ms.author: austinmc
+
+---
+
+# GCP data connector reference for the Codeless Connector Platform
+
+To create a Google Cloud Platform (GCP) data connector with the Codeless Connector Platform (CCP), use this reference as a supplement to the [Microsoft Sentinel REST API for Data Connectors](/rest/api/securityinsights/data-connectors/create-or-update?view=rest-securityinsights-2024-01-01-preview&tabs=HTTP#gcpdataconnector&preserve-view=true) docs.
+
+Each `dataConnector` represents a specific *connection* of a Microsoft Sentinel data connector. One data connector might have multiple connections, which fetch data from different endpoints. The JSON configuration built using this reference document is used to complete the deployment template for the CCP data connector. 
+
+For more information, see [Create a codeless connector for Microsoft Sentinel](create-codeless-connector.md#create-the-deployment-template).
+
+## Build the GCP CCP data connector
+
+A sample GCP CCP data connector deployment template is available [here](https://github.com/austinmccollum/Azure-Sentinel/blob/patch-5/DataConnectors/Templates/Connector_GCP_CCP_template.json) to ease the development of connecting your data source. With most of the deployment template sections filled out, only the first two components need to be built. For more information on building the first two components, see the [Output table definition](create-codeless-connector.md#output-table-definition) and [Data Collection Rule (DCR)](create-codeless-connector.md#data-collection-rule) sections.
+
+## Data Connectors - Create or update 
+
+Reference the [Create or Update](/rest/api/securityinsights/data-connectors/create-or-update) operation in the REST API docs to find the latest stable or preview API version. The difference between the *create* and the *update* operation is the update requires the **etag** value.
+
+**PUT** method
+```http
+https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.OperationalInsights/workspaces/{{workspaceName}}/providers/Microsoft.SecurityInsights/dataConnectors/{{dataConnectorId}}?api-version={{apiVersion}}
+```
+
+## URI parameters
+
+For more information about the latest API version, see [Data Connectors - Create or Update URI Parameters](/rest/api/securityinsights/data-connectors/create-or-update#uri-parameters).
+
+|Name  | Description  |
+|---------|---------|
+| **dataConnectorId** | The data connector ID must be a unique name and is the same as the `name` parameter in the [request body](#request-body).|
+| **resourceGroupName** | The name of the resource group, not case sensitive.  |
+| **subscriptionId** | The ID of the target subscription. |
+| **workspaceName** | The *name* of the workspace, not the ID.<br>Regex pattern: `^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$` |
+| **api-version** | The API version to use for this operation. |
+
+## Request body
+
+The request body for a `GCP` CCP data connector has the following structure:
+
+```json
+{
+   "name": "{{dataConnectorId}}",
+   "kind": "GCP",
+   "etag": "",
+   "properties": {
+        "connectorDefinitionName": "",
+        "auth": {},
+        "request": {},
+        "dcrConfig": ""
+   }
+}
+
+```
+
+### GCP
+
+**GCP** represents a CCP data connector where the paging and expected response payloads for your Google Cloud Platform (GCP) data source has already been configured. Configuring your GCP service to send data to a GCP Pub/Sub must be done separately. For more information, see [Publish message in Pub/Sub overview](https://cloud.google.com/pubsub/docs/publish-message-overview).
+
+| Name | Required | Type | Description |
+| ---- | ---- | ---- | ---- |
+| **name** | True | string | The unique name of the connection matching the URI parameter |
+| **kind** | True | string | Must be `GCP` |
+| **etag** |  | GUID | Leave empty for creation of new connectors. For update operations, the etag must match the existing connector's etag (GUID). |
+| properties.connectorDefinitionName |  | string | The name of the DataConnectorDefinition resource that defines the UI configuration of the data connector. For more information, see [Data Connector Definition](create-codeless-connector.md#data-connector-user-interface). |
+| properties.**auth**	| True | Nested JSON | Describes the credentials for polling the GCP data. For more information, see [authentication configuration](#authentication-configuration). |
+| properties.**request** | True | Nested JSON | Describes the GCP project Id and GCP subscription for polling the data. For more information, see [request configuration](#request-configuration). |
+| properties.**dcrConfig** |  | Nested JSON | Required parameters when the data is sent to a Data Collection Rule (DCR). For more information, see [DCR configuration](#dcr-configuration). |
+
+## Authentication configuration
+
+Authentication to GCP from Microsoft Sentinel uses a GCP Pub/Sub. You must configure the authentication separately. Use the Terraform scripts [here](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf). For more information, see [GCP Pub/Sub authentication from another cloud provider](https://cloud.google.com/docs/authentication/provide-credentials-adc#wlif).
+
+As a best practice, use parameters in the auth section instead of hard-coding credentials. For more information, see [Secure confidential input](create-codeless-connector.md#secure-confidential-input).
+
+In order to create the deployment template which also uses parameters, you need to escape the parameters in this section with an extra starting `[`. This allows the parameters to assign a value based on the user interaction with the connector. For more information, see [Template expressions escape characters](../azure-resource-manager/templates/template-expressions.md#escape-characters).
+
+To enable the credentials to be entered from the UI, the `connectorUIConfig` section requires `instructions` with the desired parameters. For more information, see [Data connector definitions reference for the Codeless Connector Platform](data-connector-ui-definitions-reference.md#instructions).
+
+GCP auth example:
+```json
+"auth": {
+    "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
+    "projectNumber": "[[parameters('GCPProjectNumber')]",
+    "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
+}
+``` 
+
+## Request configuration
+
+The request section requires the `projectId` and `subscriptionNames` from the GCP Pub/Sub.
+
+GCP request example:
+```json
+"request": {
+    "projectId": "[[parameters('GCPProjectId')]",
+    "subscriptionNames": [
+        "[[parameters('GCPSubscriptionName')]"
+    ]
+}
+```
+
+## DCR configuration
+
+| Field | Required | Type | Description |
+|----|----|----|----|
+| **DataCollectionEndpoint** | True | String | DCE (Data Collection Endpoint) for example: `https://example.ingest.monitor.azure.com`. |
+| **DataCollectionRuleImmutableId** | True | String | The DCR immutable ID. Find it by viewing the DCR creation response or using the [DCR API](/rest/api/monitor/data-collection-rules/get) |
+| **StreamName** | True | string | This value is the `streamDeclaration` defined in the DCR (prefix must begin with *Custom-*) |
+
+## Example CCP data connector
+
+Here's an example of all the components of the `GCP` CCP data connector JSON together.
+
+```json
+{
+    "kind": "GCP",
+    "properties": {
+        "connectorDefinitionName": "[[parameters('connectorDefinitionName')]",
+        "dcrConfig": {
+            "streamName": "[variables('streamName')]",
+            "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+            "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+        },
+    "dataType": "[variables('dataType')]",
+    "auth": {
+        "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
+        "projectNumber": "[[parameters('GCPProjectNumber')]",
+        "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
+    },
+    "request": {
+        "projectId": "[[parameters('GCPProjectId')]",
+        "subscriptionNames": [
+            "[[parameters('GCPSubscriptionName')]"
+            ]
+        }
+    }
+}
+```
+
+For more information, see [Create GCP data connector REST API example](/rest/api/securityinsights/data-connectors/create-or-update?view=rest-securityinsights-2024-01-01-preview&tabs=HTTP#creates-or-updates-a-gcp-data-connector&preserve-view=true).