Garrison ULTRA Remote Logs solution (#11285)

Merging to master branch. Reviewed by Prasad.
Azure · Nov 22, 2024 · 3cf1730 · 3cf1730
1 parent 661c45d
commit 3cf1730
Show file tree

Hide file tree

Showing 14 changed files with 938 additions and 0 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Garrison_ULTRARemote_Logs_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Garrison_ULTRARemote_Logs_CL.json
@@ -0,0 +1,49 @@
+{
+  "Name":"Garrison_ULTRARemoteLogs_CL",
+  "Properties":[
+    {
+      "name": "TimeGenerated",
+      "type": "datetime"
+    },
+    {
+      "name": "deviceEventClassId",
+      "type": "int"
+    },
+    {
+      "name": "name",
+      "type": "string"
+    },
+    {
+      "name": "start",
+      "type": "long"
+    },
+    {
+      "name": "request",
+      "type": "string"
+    },
+    {
+      "name": "requestContext",
+      "type": "string"
+    },
+    {
+      "name": "reason",
+      "type": "string"
+    },
+    {
+      "name": "dhost",
+      "type": "string"
+    },
+    {
+      "name": "devicePayloadId",
+      "type": "string"
+    },
+    {
+      "name": "suid",
+      "type": "string"
+    },
+    {
+      "name": "suser",
+      "type": "string"
+    }
+  ]
+}
diff --git a/Logos/Garrison_Logomark.svg b/Logos/Garrison_Logomark.svg
diff --git a/Sample Data/GarrisonULTRARemoteLogs_IngestedLogs.csv b/Sample Data/GarrisonULTRARemoteLogs_IngestedLogs.csv
@@ -0,0 +1,6 @@
+"TimeGenerated [UTC]",deviceEventClassId,name,start,request,requestContext,reason,dhost,devicePayloadId,suid,suser,TenantId,Type,"_ResourceId"
+"15/10/2024, 13:48:49.443",1,"HTTP request",1729000129443,"ovxYqsOc>m}P,t<+cSMk9R(oL/I?*6)L>J&dNV/U@,#aK+QkLi~6jz%&#VLIGu+qfl)8mL~y3#J]>.U+p\faP[@VUL=h6^&=>gqE#AmRqM/8u.]+K>(V\21S[^{}>VFb$#+qn05$VdCV(+AZ(4st}#86odv[&\&ji$%Z2<w%}B+C7nXrL;1b2,a1uWM*shhXWw^@3;[8>LF|=}<GRupwlDs}GkIf4Ohd/+B/","[fTLB33$TC-f{&1B^#u-xnx7AwwUs,J-vg@y*XZm)P\/Ktsp1m1]UiopH*VEFlum=-a2D.5uyG3HNmq08GH7z5?\^gnX8]7FlNUr~iX^bb$u^uqI=EtXQ:KCr4q@AnnMtMsFHh*iu6?:=IQZEFW%z?6{B4jh2Uc6GqG-1Aas&R]<",,,58ce17a07ce75c1f,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL",
+"15/10/2024, 13:48:49.445",3,"HTTP request blocked",1729000129445,"-5kYl5DN%?xvnxA-tQlcDuAHB0t7Xlf9pseXQ7,P3ogw\y;]o<4emH\GPiuwg1TiqOhfjOUD2&T:>FWy}N,I^kG,L*VT4CRO&AebMD,mQYOpy@Y(%&%%|yZ><pg<LH@@&VKiL9w6&6a}yvzZ1>cs5n8KoUnM40poO9u,[_K@9U0RGJO/+ea*B+0I.qdD&31@+doOeeP~]Ei@ZI/^IvU8lsENC&Of1NqR>xf)","McdoQ4TLW8e(}71m*g9o_SJ.(N5+YS|h3?pX~>+CEY}w}J.W_9vfM~T^b;d^]*WZjEiyL87tU2u4/$S|u)IAoRE3#:/j3*]X%A]%)3Jhi(P<AzJ.+INpUy&$\Y(>@hIpJM7pN-$bxIa>3C/u%zH&omRb;^Z3vxyoFY{Z4XkwW,,(reason=category-arms",,,c8659f393a1979b2,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL",
+"15/10/2024, 13:48:49.443",0,"Page visit",1729000129443,"B-||Zw[8P?b+<bVM4T&/^?;hqjS][FE7?OhA(kYJvNF*Oh>.}mV[t32;Ampfg||?P-=vMV~fp~y,hy]\qXYj-H5zHt4O9K[%b8voqIz>-mq\G,fOq/x@&:2#}bN*7PhSqJ*Ygy:lHZh80[Y$iZ)<p~;dyZCTn#KLER&m@&J)zBpj",,,,0e72f8932c8f98d0,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL",
+"15/10/2024, 13:48:49.445",2,"Page visit blocked",1729000129445,"sM,r_eh,:nlO%GF8O0-Ww]|Md\dL-|GpwkB(&:FlvWhJk70T]q-upDDLJ(Qh*LT*GQdvi;Z:>J63$QJ8W\n;$+jG[);eGtWH3/2yC<}7~U,&~AD_GRUbegHUBlcZQLR$W%&A<8FX]Rcxgv+1DouBy|GZW#heN*I0%Y<fCgRYgW~c",,"category-arms",,405a2e1159c68d87,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL",
+"15/10/2024, 13:48:42.879",4,"Site visit",1729000122879,,,,"%s-P>UA?}[S<&qA+]-v\KoGSEo[dF#59p\/.d})pPJ1Kgb?MN}am%5[\5zu{E##)F",a0a7f49bd73fab31,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL",
diff --git a/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json b/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json
@@ -0,0 +1,67 @@
+[
+  {
+    "TimeGenerated": "2024-10-15 14:39:09.323000+00:00",
+    "deviceEventClassId": 1,
+    "name": "HTTP request",
+    "start": 1729003149323,
+    "request": ">{XDI$K.&=nTA8ZtdJIf;>~})l9?6tjFH7QR*vns]x16ZZ%Ot[#qvtL^x^OIZ<n<Au-3ryqo&#{dB1hs?*gZ?9bBqf<dmTFNo(LU,amU)7L.0>EQ#(L~S-gP}B8#3]#pNV&Z9@ITYVS%wX|&A^u)+LNiU^Tt2N:tQiLUE,&4?fAg<Gq7plLs9bB<Ht5E|A(htf<KKn#XHbY\\vEqu{WuUarLc#1ymV+{ow:cN",
+    "requestContext": "$?aY?-s_%6fHrPlU61E,p8t&8%]vrpT-k[O~OPP4%,Mdm0WzoEhDfC%|LSIyt?CS=|9Mpto@-1}z4mLKP(Ao>6c(k<PFikbZnq[n@WbZZv\\M4xkUaGN*103}bg,);|O/$/xo:>DYl+)(h/_/f@:kT1r]hn]~hGf3%-#dxFOFT<*E",
+    "reason": "",
+    "dhost": "",
+    "devicePayloadId": "037dd6aad0e06621",
+    "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+    "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+  },
+  {
+    "TimeGenerated": "2024-10-15 14:39:09.325000+00:00",
+    "deviceEventClassId": 4,
+    "name": "Site visit",
+    "start": 1729003149325,
+    "request": "",
+    "requestContext": "",
+    "reason": "",
+    "dhost": "d?iC^MUFD9\\Bu1<.+3Q>)gj9gSO3+I8/{S}yNq>A&21?:sam-IN7(/i#qf^]FMs/~",
+    "devicePayloadId": "b8f6848a07290a8b",
+    "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+    "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+  },
+  {
+    "TimeGenerated": "2024-10-15 14:39:09.324000+00:00",
+    "deviceEventClassId": 3,
+    "name": "HTTP request blocked",
+    "start": 1729003149324,
+    "request": "/%m8\\62Nc9rfHa^7#|^z:e8cU:\\*G[s5KEG?K0Kw3|h.X0U)<RFTVqlzOzDSTtOp4tlW{vj>NjroRep6+a:<bYuXlk&m7EB6MIw{hlEcCCHB$nX)8+fNj>f^pP)R4xw~/X/1xA>*KW%el^M)kI)IH#@KGZtpGi.qeZ*&[JCcvOh*@XlFpZ=0xwJWoK>8_eofg,Jw%CZuY]i6{G:qcp[?&;^uLlg^h.tv8kHy",
+    "requestContext": "fW56)_up7Z;&4C7-~[3I[f52pO5#On5tBEV[pdW|;tfd6]fkr+y9rPffQg*]?0;3XU5sp3T<%8W_O-jnpjGF\\:q|s%&oZ%g~B}>H3U&)S<EleBZlk-,sma[hir6@Zi2%;W[8H.:_N9|LV^B~r>iR=Q*p,4$1\\3y[[0z465$JK$JYreason=category-arms",
+    "reason": "",
+    "dhost": "",
+    "devicePayloadId": "6b8c53f30783d5b5",
+    "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+    "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+  },
+  {
+    "TimeGenerated": "2024-10-15 14:39:09.322000+00:00",
+    "deviceEventClassId": 0,
+    "name": "Page visit",
+    "start": 1729003149322,
+    "request": "={AT@@yufoRzB60y<O^26Y$uT#;-^@Q,T+1FtUL;9%L_P2KBY$WNyk)(D3fp5F1,X/tSCrg^oMHB<F*W3?n(v&\\f@p<~dI(4z#{lP*x&Kt@?{F<I_qG<z2CysDF5*[QMBIUC^GThfpebu$.S4{i}]X*#o~k&a,ol8Z(Ju68fzj?P",
+    "requestContext": "",
+    "reason": "",
+    "dhost": "",
+    "devicePayloadId": "dc5f245768e1263b",
+    "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+    "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+  },
+  {
+    "TimeGenerated": "2024-10-15 14:39:12.570000+00:00",
+    "deviceEventClassId": 2,
+    "name": "Page visit blocked",
+    "start": 1729003152570,
+    "request": "?QBNHE^NK)l%g}.{Ur}lolTW\\Qc@R65_?_q,qCZo8@#fv>vi/GpaeEJuA@w)Ogfi#a+47y{YB|@u%\\)Y}TK/KaoqFmT[{hB[F8<smpOqVj?#W4u:]p-9d^6Wn;SSo%nXy]g._G#k6K}s4fbt?rtab[?2:d_7XSy<141-bJDt]hT~",
+    "requestContext": "",
+    "reason": "category-arms",
+    "dhost": "",
+    "devicePayloadId": "9300453ad15f2ef5",
+    "suid": "cf0b5b78-270e-416c-8b42-0cc91232af86",
+    "suser": "cf0b5b78-270e-416c-8b42-0cc91232af86"
+  }
+]
diff --git a/Sample Data/GarrisonULTRARemoteLogs_Schema.csv b/Sample Data/GarrisonULTRARemoteLogs_Schema.csv
@@ -0,0 +1,15 @@
+ColumnName,ColumnOrdinal,DataType,ColumnType
+TimeGenerated,0,"System.DateTime",datetime
+deviceEventClassId,1,"System.Int32",int
+name,2,"System.String",string
+start,3,"System.Int64",long
+request,4,"System.String",string
+requestContext,5,"System.String",string
+reason,6,"System.String",string
+dhost,7,"System.String",string
+devicePayloadId,8,"System.String",string
+suid,9,"System.String",string
+suser,10,"System.String",string
+TenantId,11,"System.String",string
+Type,12,"System.String",string
+"_ResourceId",13,"System.String",string
diff --git a/...on ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json b/...on ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json
@@ -0,0 +1,89 @@
+{
+    "id": "GarrisonULTRARemoteLogs",
+    "title": "Garrison ULTRA Remote Logs",
+    "publisher": "Garrison",
+    "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Garrison_ULTRARemoteLogs_CL",
+            "baseQuery": "Garrison_ULTRARemoteLogs_CL"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Last 10 logs",
+            "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "Garrison_ULTRARemoteLogs_CL",
+            "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "Garrison_ULTRARemoteLogs_CL \n    |take 1\n   | project IsConnected = true  "
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+			{
+				"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+				"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+				"providerDisplayName": "Keys",
+				"scope": "Workspace",
+				"requiredPermissions": {
+					"action": true
+				}
+			}
+        ],
+        "customs": [
+            {
+                "name": "Garrison ULTRA",
+                "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license."
+            }
+        ]
+    },
+    "instructionSteps": [
+		{
+			"title": "Deployment - Azure Resource Manager (ARM) Template",
+			"description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy."
+		}
+    ],
+    "metadata": {
+        "id": "919e2355-136a-4bbd-ade7-1956e5f61f83",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Garrison ULTRA Remote Logs"
+        },
+        "author": {
+            "name": "Garrison"
+        },
+        "support": {
+            "tier": "developer",
+            "name": "Garrison"
+        }
+    }
+}