Skip to content

Commit

Permalink
Added CloudGuard CCP files and Package
Browse files Browse the repository at this point in the history
  • Loading branch information
@YohaiCP
YohaiCP committed Nov 12, 2024
1 parent b94ddee commit 4c24305
Show file tree
Hide file tree
Showing 10 changed files with 1,044 additions and 92 deletions.
213 changes: 213 additions & 0 deletions Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_DCR.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
{
"name": "CloudGuardDCRV1",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"kind": null,
"properties": {
"streamDeclarations": {
"Custom-CloudGuard_SecurityEvents_CL": {
"columns": [
{
"name": "id",
"type": "string"
},
{
"name": "findingKey",
"type": "string"
},
{
"name": "createdTime",
"type": "datetime"
},
{
"name": "updatedTime",
"type": "datetime"
},
{
"name": "cloudAccountType",
"type": "string"
},
{
"name": "comments",
"type": "dynamic"
},
{
"name": "cloudAccountId",
"type": "string"
},
{
"name": "cloudAccountExternalId",
"type": "string"
},
{
"name": "organizationalUnitId",
"type": "string"
},
{
"name": "organizationalUnitPath",
"type": "string"
},
{
"name": "bundleId",
"type": "int"
},
{
"name": "alertType",
"type": "string"
},
{
"name": "ruleId",
"type": "string"
},
{
"name": "ruleName",
"type": "string"
},
{
"name": "ruleLogic",
"type": "string"
},
{
"name": "entityDome9Id",
"type": "string"
},
{
"name": "entityExternalId",
"type": "string"
},
{
"name": "entityType",
"type": "string"
},
{
"name": "entityTypeByEnvironmentType",
"type": "string"
},
{
"name": "entityName",
"type": "string"
},
{
"name": "entityNetwork",
"type": "dynamic"
},
{
"name": "entityTags",
"type": "dynamic"
},
{
"name": "severity",
"type": "string"
},
{
"name": "description",
"type": "string"
},
{
"name": "remediation",
"type": "string"
},
{
"name": "tag",
"type": "string"
},
{
"name": "region",
"type": "string"
},
{
"name": "bundleName",
"type": "string"
},
{
"name": "acknowledged",
"type": "boolean"
},
{
"name": "origin",
"type": "string"
},
{
"name": "lastSeenTime",
"type": "datetime"
},
{
"name": "ownerUserName",
"type": "dynamic"
},
{
"name": "magellan",
"type": "dynamic"
},
{
"name": "isExcluded",
"type": "boolean"
},
{
"name": "webhookResponses",
"type": "dynamic"
},
{
"name": "remediationActions",
"type": "dynamic"
},
{
"name": "additionalFields",
"type": "dynamic"
},
{
"name": "occurrences",
"type": "dynamic"
},
{
"name": "scanId",
"type": "dynamic"
},
{
"name": "status",
"type": "string"
},
{
"name": "statusReason",
"type": "string"
},
{
"name": "category",
"type": "string"
},
{
"name": "action",
"type": "string"
},
{
"name": "labels",
"type": "dynamic"
}
]
}
},
"dataSources": {},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "{{workspaceResourceId}}",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-CloudGuard_SecurityEvents_CL"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source\n| extend TimeGenerated = todatetime(createdTime)\n| project-rename EventId = id\n| project-away createdTime\n\n",
"outputStream": "Custom-CloudGuard_SecurityEvents_CL"
}
],
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}"
}
}
119 changes: 119 additions & 0 deletions ...k Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_DataConnectorDefinition.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
{
"name": "CloudGuardCCPDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "CloudGuardCCPDefinition",
"title": "CloudGuard Security Events",
"publisher": "CheckPoint",
"descriptionMarkdown": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries.",
"graphQueriesTableName": "CloudGuard_SecurityEvents_CL",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "CloudGuard Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of CloudGuard Events",
"query": "{{graphQueriesTableName}}\n | take 10"
},
{
"description": "Total Events by uuid",
"query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "CloudGuard API Key",
"description": "Refer to the instructions provided [here](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Settings/Users-Roles.htm#add_service) to generate an API key."
}
]
},
"instructionSteps": [
{
"description": "To enable the CloudGuard connector for Microsoft Sentinel, enter the required information below and select Connect.\n>",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "API Key ID",
"placeholder": "api_key",
"type": "text",
"name": "api_key"
}
},
{
"type": "Textbox",
"parameters": {
"label": "API Key Secret",
"placeholder": "api_secret",
"type": "password",
"name": "api_secret"
}
},
{
"type": "Textbox",
"parameters": {
"label": "endpoint URL",
"placeholder": "https://api.dome9.com",
"type": "text",
"name": "endpoint_url"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Filter",
"placeholder": "Paste filter from CloudGuard or leave empty to get all security events",
"type": "text",
"name": "query_filter"
}
},
{
"parameters": {
"label": "toggle",
"name": "toggle"
},
"type": "ConnectionToggleButton"
}
],
"title": "Connect CloudGuard Security Events to Microsoft Sentinel"
}
]
}
}
}
50 changes: 50 additions & 0 deletions ...tions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"name": "CloudGuardCCPAlertsPolling",
"apiVersion": "2022-12-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectors",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"dataType": "CloudGuard Events API",
"response": {
"eventsJsonPaths": [
"$.findings"
],
"format": "json"
},
"connectorDefinitionName": "CloudGuardCCPDefinition",
"auth": {
"type": "Basic",
"userName": "[[parameters('api_key')]",
"password": "[[parameters('api_secret')]"
},
"request": {
"queryParametersTemplate": "[[concat('{\"skipAggregations\": true, \"filter\": {\"updatedTime\": {\"from\": \"{_QueryWindowStartTime}\", \"to\": \"{_QueryWindowEndTime}\"}, \"fields\": [ {\"name\": \"origin\", \"value\": 1}, {\"name\": \"origin\", \"value\": 2}, {\"name\": \"origin\", \"value\": 105}, {\"name\": \"alertType\", \"value\": 0}', if(not(empty(parameters('query_filter'))), concat(',', parameters('query_filter')), ''), ']}}')]",
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"apiEndpoint": "[[concat(parameters('endpoint_url'), '/v2/Compliance/Finding/searchFromSentinel')]",
"rateLimitQPS": 10,
"queryWindowInMin": 5,
"isPostPayloadJson": true,
"httpMethod": "Post",
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Accept": "application/json",
"Content-type": "application/json",
"User-Agent": "Sentinel-CloudGuard",
"Version": "1.0.0"
}
},
"paging": {
"pagingType": "NextPageToken",
"nextPageTokenJsonPath": "$.searchAfter",
"nextPageParaName": "searchAfter"
},
"dcrConfig": {
"dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
"dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}",
"streamName": "Custom-CloudGuard_SecurityEvents_CL"
},
"isActive": true
}
}
Loading

0 comments on commit 4c24305

Please sign in to comment.