![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [GitLab](https://about.gitlab.com/solutions/devops-platform/) solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_GitLab.json"
- ],
+ "Description": "The [GitLab](https://about.gitlab.com/solutions/devops-platform/) solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Parsers": [
"Parsers/GitLabAccess.yaml",
"Parsers/GitLabApp.yaml",
@@ -27,7 +24,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitLab",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"TemplateSpec": true,
"Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/GitLab/Package/3.0.2.zip b/Solutions/GitLab/Package/3.0.2.zip
new file mode 100644
index 00000000000..586bb961255
Binary files /dev/null and b/Solutions/GitLab/Package/3.0.2.zip differ
diff --git a/Solutions/GitLab/Package/createUiDefinition.json b/Solutions/GitLab/Package/createUiDefinition.json
index be78da4e11c..39b9f3c0770 100644
--- a/Solutions/GitLab/Package/createUiDefinition.json
+++ b/Solutions/GitLab/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GitLab/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [GitLab](https://about.gitlab.com/solutions/devops-platform/) solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 3, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GitLab/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [GitLab](https://about.gitlab.com/solutions/devops-platform/) solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 3, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for GitLab. You can get GitLab Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "analytics",
"label": "Analytics",
diff --git a/Solutions/GitLab/Package/mainTemplate.json b/Solutions/GitLab/Package/mainTemplate.json
index 3fc9bc8518a..0c6b0d66db9 100644
--- a/Solutions/GitLab/Package/mainTemplate.json
+++ b/Solutions/GitLab/Package/mainTemplate.json
@@ -33,18 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "GitLab",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-gitlab",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "GitLab",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "GitLab",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','GitLabAccess')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'GitLabAccess')]",
@@ -67,60 +58,60 @@
"parserContentId3": "GitLabAudit-Parser"
},
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.0",
+ "analyticRuleVersion1": "1.0.1",
"_analyticRulecontentId1": "2238d13a-cf05-4973-a83f-d12a25dbb153",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2238d13a-cf05-4973-a83f-d12a25dbb153')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2238d13a-cf05-4973-a83f-d12a25dbb153')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2238d13a-cf05-4973-a83f-d12a25dbb153','-', '1.0.0')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2238d13a-cf05-4973-a83f-d12a25dbb153','-', '1.0.1')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.0",
+ "analyticRuleVersion2": "1.0.1",
"_analyticRulecontentId2": "c1544d8f-cbbd-4e35-8d32-5b9312279833",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c1544d8f-cbbd-4e35-8d32-5b9312279833')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c1544d8f-cbbd-4e35-8d32-5b9312279833')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c1544d8f-cbbd-4e35-8d32-5b9312279833','-', '1.0.0')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c1544d8f-cbbd-4e35-8d32-5b9312279833','-', '1.0.1')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
+ "analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "0f4f16a2-b464-4c10-9a42-993da3e15a40",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f4f16a2-b464-4c10-9a42-993da3e15a40')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f4f16a2-b464-4c10-9a42-993da3e15a40')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f4f16a2-b464-4c10-9a42-993da3e15a40','-', '1.0.1')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f4f16a2-b464-4c10-9a42-993da3e15a40','-', '1.0.2')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.0",
+ "analyticRuleVersion4": "1.0.1",
"_analyticRulecontentId4": "e0b45487-5c79-482d-8ac0-695de8c031af",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e0b45487-5c79-482d-8ac0-695de8c031af')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e0b45487-5c79-482d-8ac0-695de8c031af')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e0b45487-5c79-482d-8ac0-695de8c031af','-', '1.0.0')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e0b45487-5c79-482d-8ac0-695de8c031af','-', '1.0.1')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "7241740a-5280-4b74-820a-862312d721a8",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7241740a-5280-4b74-820a-862312d721a8')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7241740a-5280-4b74-820a-862312d721a8')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7241740a-5280-4b74-820a-862312d721a8','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7241740a-5280-4b74-820a-862312d721a8','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.0",
+ "analyticRuleVersion6": "1.0.1",
"_analyticRulecontentId6": "4d6d8b0e-6d9a-4857-a141-f5d89393cddb",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d6d8b0e-6d9a-4857-a141-f5d89393cddb')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d6d8b0e-6d9a-4857-a141-f5d89393cddb')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d6d8b0e-6d9a-4857-a141-f5d89393cddb','-', '1.0.0')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d6d8b0e-6d9a-4857-a141-f5d89393cddb','-', '1.0.1')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.0",
+ "analyticRuleVersion7": "1.0.1",
"_analyticRulecontentId7": "8b291c3d-90ba-4ebf-af2c-0283192d430e",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8b291c3d-90ba-4ebf-af2c-0283192d430e')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8b291c3d-90ba-4ebf-af2c-0283192d430e')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8b291c3d-90ba-4ebf-af2c-0283192d430e','-', '1.0.0')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8b291c3d-90ba-4ebf-af2c-0283192d430e','-', '1.0.1')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.0",
+ "analyticRuleVersion8": "1.0.1",
"_analyticRulecontentId8": "3efd09bd-a582-4410-b7ec-5ff21cfad7bd",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3efd09bd-a582-4410-b7ec-5ff21cfad7bd')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3efd09bd-a582-4410-b7ec-5ff21cfad7bd')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3efd09bd-a582-4410-b7ec-5ff21cfad7bd','-', '1.0.0')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3efd09bd-a582-4410-b7ec-5ff21cfad7bd','-', '1.0.1')))]"
},
"analyticRuleObject9": {
"analyticRuleVersion9": "1.0.1",
@@ -132,399 +123,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "GitLab data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] GitLab",
- "publisher": "Microsoft",
- "descriptionMarkdown": "The [GitLab](https://about.gitlab.com/solutions/devops-platform/) connector allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.",
- "additionalRequirementBanner": "This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "GitLabApp",
- "baseQuery": "GitLabApp"
- },
- {
- "metricName": "Total data received",
- "legend": "GitLabAudit",
- "baseQuery": "GitLabAudit"
- },
- {
- "metricName": "Total data received",
- "legend": "GitLabAccess",
- "baseQuery": "GitLabAccess"
- }
- ],
- "sampleQueries": [
- {
- "description": "GitLab Application Logs",
- "query": "GitLabApp | sort by TimeGenerated"
- },
- {
- "description": "GitLab Audit Logs",
- "query": "GitLabAudit | sort by TimeGenerated"
- },
- {
- "description": "GitLab Access Logs",
- "query": "GitLabAccess | sort by TimeGenerated"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (GitlabAccess)",
- "lastDataReceivedQuery": "GitLabAccess\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Syslog (GitlabAudit)",
- "lastDataReceivedQuery": "GitLabAudit\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Syslog (GitlabApp)",
- "lastDataReceivedQuery": "GitLabApp\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "GitLabApp\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "GitLabAudit\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "GitLabAccess\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
- "title": "Configuration"
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- }
- ],
- "metadata": {
- "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Guillaume Benats"
- },
- "support": {
- "tier": "community",
- "name": "Guillaume Benats",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "GitLab",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] GitLab",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "GitLab",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] GitLab",
- "publisher": "Microsoft",
- "descriptionMarkdown": "The [GitLab](https://about.gitlab.com/solutions/devops-platform/) connector allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "GitLabApp",
- "baseQuery": "GitLabApp"
- },
- {
- "metricName": "Total data received",
- "legend": "GitLabAudit",
- "baseQuery": "GitLabAudit"
- },
- {
- "metricName": "Total data received",
- "legend": "GitLabAccess",
- "baseQuery": "GitLabAccess"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (GitlabAccess)",
- "lastDataReceivedQuery": "GitLabAccess\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Syslog (GitlabAudit)",
- "lastDataReceivedQuery": "GitLabAudit\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "Syslog (GitlabApp)",
- "lastDataReceivedQuery": "GitLabApp\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "GitLabApp\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "GitLabAudit\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "GitLabAccess\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "GitLab Application Logs",
- "query": "GitLabApp | sort by TimeGenerated"
- },
- {
- "description": "GitLab Audit Logs",
- "query": "GitLabAudit | sort by TimeGenerated"
- },
- {
- "description": "GitLab Access Logs",
- "query": "GitLabAccess | sort by TimeGenerated"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
- "title": "Configuration"
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -534,7 +132,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLabAccess Data Parser with template version 3.0.1",
+ "description": "GitLabAccess Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -666,7 +264,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLabApp Data Parser with template version 3.0.1",
+ "description": "GitLabApp Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -798,7 +396,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLabAudit Data Parser with template version 3.0.1",
+ "description": "GitLabAudit Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -930,7 +528,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_BruteForce_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_BruteForce_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -958,7 +556,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1043,7 +641,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_ExternalUser_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_ExternalUser_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1071,7 +669,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1174,7 +772,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_Impersonation_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_Impersonation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1202,7 +800,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1305,7 +903,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_LocalAuthNoMFA_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_LocalAuthNoMFA_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1333,7 +931,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1418,7 +1016,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_MaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_MaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1458,7 +1056,7 @@
]
},
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1543,7 +1141,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_PAT_Repo_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_PAT_Repo_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1571,7 +1169,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1647,7 +1245,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_RepoVisibilityChange_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_RepoVisibilityChange_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1675,7 +1273,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1771,7 +1369,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_Repo_Deletion_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_Repo_Deletion_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1799,7 +1397,7 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
+ "connectorId": "SyslogAma",
"dataTypes": [
"Syslog"
]
@@ -1884,7 +1482,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitLab_SignInBurst_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "GitLab_SignInBurst_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1984,12 +1582,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "GitLab",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 3, Analytic Rules: 9
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 3, Analytic Rules: 9
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2013,11 +1611,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/GitLab/ReleaseNotes.md b/Solutions/GitLab/ReleaseNotes.md index ace127cc15e..35219a554d4 100644 --- a/Solutions/GitLab/ReleaseNotes.md +++ b/Solutions/GitLab/ReleaseNotes.md @@ -1,5 +1,6 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|----------------------------------------------------------------------------| -| 3.0.1 | 07-24-2023 | Deprecated data connectors | -| 3.0.0 | 07-11-2023 | Modifying text as there is rebranding from Azure Active Directory to Microsoft Entra ID | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-------------------------------------------------------------------------------------------| +| 3.0.2 | 12-12-2024 | Removed Deprecated **Data connectors** | +| 3.0.1 | 07-24-2023 | Deprecated data connectors | +| 3.0.0 | 07-11-2023 | Modifying text as there is rebranding from Azure Active Directory to Microsoft Entra ID |