forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathOnapsis.json
More file actions
164 lines (164 loc) · 6.85 KB
/
Onapsis.json
File metadata and controls
164 lines (164 loc) · 6.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
{
"id": "Onapsis",
"title": "Onapsis Defend Integration",
"publisher": "Onapsis Platform",
"logo": "Onapsis.svg",
"descriptionMarkdown": "Onapsis Defend Integration is aimed at forwarding alerts and logs collected and detected by Onapsis Platform into Microsoft Sentinel SIEM",
"graphQueriesTableName": "Onapsis_Defend_CL",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "Onapsis_SID",
"baseQuery": "{{graphQueriesTableName}} | project TimeGenerated, Onapsis_SID= sid"
}
],
"sampleQueries": [
{
"description": "Get Sample Events",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft Entra",
"description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
},
{
"name": "Microsoft Azure",
"description": "Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role."
}
]
},
"instructionSteps": [
{
"title": "1. Create ARM Resources and Provide the Required Permissions",
"description": "We will create data collection rule (DCR) and data collection endpoint (DCE) resources. We will also create a Microsoft Entra app registration and assign the required permissions to it.",
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### Automated deployment of Azure resources\nClicking on \"Deploy push connector resources\" will trigger the creation of DCR and DCE resources.\nIt will then create a Microsoft Entra app registration with client secret and grant permissions on the DCR. This setup enables data to be sent securely to the DCR using a OAuth v2 client credentials."
}
},
{
"parameters": {
"label": "Deploy push connector resources",
"applicationDisplayName": "Onapsis Defend Integration push to Microsoft Sentinel"
},
"type": "DeployPushConnectorButton_test"
}
]
},
{
"title": "2. Maintain the data collection endpoint details and authentication info in Onapsis Defend Integration",
"description": "Share the data collection endpoint URL and authentication info with the Onapsis Defend Integration administrator to configure the Onapsis Defend Integration to send data to the data collection endpoint.",
"instructions": [
{
"parameters": {
"label": "Use this value to configure as Tenant ID in the LogIngestionAPI credential.",
"fillWith": [
"TenantId"
]
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Entra Application ID",
"fillWith": [
"ApplicationId"
],
"placeholder": "Deploy push connector to get the Application ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Entra Application Secret",
"fillWith": [
"ApplicationSecret"
],
"placeholder": "Deploy push connector to get the Application Secret"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "Use this value to configure the LogsIngestionURL parameter when deploying the IFlow.",
"fillWith": [
"DataCollectionEndpoint"
],
"placeholder": "Deploy push connector to get the DCE URI"
},
"type": "CopyableLabel"
},
{
"parameters": {
"label": "DCR Immutable ID",
"fillWith": [
"DataCollectionRuleId"
],
"placeholder": "Deploy push connector to get the DCR ID"
},
"type": "CopyableLabel"
}
]
}
],
"metadata": {
"id": "Onapsis",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "solution",
"name": "Onapsis Defend Integration for Microsoft Sentinel"
},
"author": {
"name": "Onapsis Platform",
"email": "support@onapsis.com"
},
"support": {
"tier": "Partner",
"name": "Onapsis Platform",
"email": "support@onapsis.com",
"link": "https://onapsis.com/support/"
}
}
}