diff --git a/Solutions/Forcepoint CASB/Data Connectors/template_Forcepoint CASBAMA.json b/Solutions/Forcepoint CASB/Data Connectors/template_Forcepoint CASBAMA.json
index a0bf8003341..a126f387e23 100644
--- a/Solutions/Forcepoint CASB/Data Connectors/template_Forcepoint CASBAMA.json
+++ b/Solutions/Forcepoint CASB/Data Connectors/template_Forcepoint CASBAMA.json
@@ -111,11 +111,11 @@
]
},
{
- "title": "4. Secure your machine ",
+ "title": "2. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
},
{
- "title": "5. Forcepoint integration installation guide ",
+ "title": "3. Forcepoint integration installation guide ",
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)"
}
],
diff --git a/Solutions/Forcepoint CASB/Package/3.0.0.zip b/Solutions/Forcepoint CASB/Package/3.0.0.zip
index 3ec86253f55..774715843f1 100644
Binary files a/Solutions/Forcepoint CASB/Package/3.0.0.zip and b/Solutions/Forcepoint CASB/Package/3.0.0.zip differ
diff --git a/Solutions/Forcepoint CASB/Package/createUiDefinition.json b/Solutions/Forcepoint CASB/Package/createUiDefinition.json
index bb4f5a415b3..7dc5dd240c8 100644
--- a/Solutions/Forcepoint CASB/Package/createUiDefinition.json
+++ b/Solutions/Forcepoint CASB/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\r\n1. **Forcepoint CASB via AMA** -This data connector helps in ingesting Forcepoint CASB logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Forcepoint CASB via Legacy Agent** - This data connector helps in ingesting Forcepoint CASB logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends Installation of Forcepoint CASB via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\r\n1. **Forcepoint CASB via AMA** -This data connector helps in ingesting Forcepoint CASB logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Forcepoint CASB via Legacy Agent** - This data connector helps in ingesting Forcepoint CASB logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends Installation of Forcepoint CASB via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -64,20 +64,20 @@
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
+ "text": "This Solution installs the data connector for Forcepoint CASB. You can get Forcepoint CASB CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "dataconnectors2-text",
+ "name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for Forcepoint CASB. You can get Forcepoint CASB CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
}
}
]
diff --git a/Solutions/Forcepoint CASB/Package/mainTemplate.json b/Solutions/Forcepoint CASB/Package/mainTemplate.json
index e3170f40904..3792943bda7 100644
--- a/Solutions/Forcepoint CASB/Package/mainTemplate.json
+++ b/Solutions/Forcepoint CASB/Package/mainTemplate.json
@@ -38,10 +38,17 @@
}
},
"variables": {
- "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-casb",
- "_solutionId": "[variables('solutionId')]",
"_solutionName": "Forcepoint CASB",
"_solutionVersion": "3.0.0",
+ "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-casb",
+ "_solutionId": "[variables('solutionId')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "ForcepointCASBWorkbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"uiConfigId1": "ForcepointCasb",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ForcepointCasb",
@@ -60,16 +67,99 @@
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
- "workbookVersion1": "1.0.0",
- "workbookContentId1": "ForcepointCASBWorkbook",
- "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
- "_workbookContentId1": "[variables('workbookContentId1')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "ForcepointCASBWorkbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Top 5 Users by Number of Failed Attempts
\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where TimeGenerated <= now()\\r\\n| extend outcome = coalesce(\\r\\n column_ifexists(\\\"EventOutcome\\\", \\\"\\\"),\\r\\n split(split(AdditionalExtensions, \\\";\\\", 2)[0], \\\"=\\\", 1)[0],\\r\\n \\\"\\\"\\r\\n )\\r\\n| extend reason = coalesce(\\r\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\r\\n split(split(AdditionalExtensions, \\\";\\\", 3)[0], \\\"=\\\", 1)[0],\\r\\n \\\"\\\"\\r\\n )\\r\\n| where DeviceVendor == \\\"Forcepoint CASB\\\"\\r\\n| where DeviceProduct in (\\\"SaaS Security Gateway\\\", \\\"Cloud Service Monitoring\\\", \\\"CASB Admin audit log\\\")\\r\\n| where outcome ==\\\"Failure\\\" \\r\\n| summarize Count= count() by DestinationUserName| render barchart\",\"size\":0,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"\\r\\nTop 5 Users With The Highest Number Of Logs
\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where TimeGenerated <= now()\\r\\n| where DeviceVendor == \\\"Forcepoint CASB\\\"\\r\\n| where DeviceProduct in (\\\"SaaS Security Gateway\\\", \\\"Cloud Service Monitoring\\\", \\\"CASB Admin audit log\\\")\\r\\n| summarize Count = count() by DestinationUserName\\r\\n| top 5 by DestinationUserName| render barchart\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-ForcepointCASB\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=ForcepointCASBWorkbook; logoFileName=FP_Green_Emblem_RGB-01.svg; description=Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Forcepoint Cloud Access Security Broker (CASB); templateRelativePath=ForcepointCASB.json; subtitle=; provider=Forcepoint}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Forcepoint CASB",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Forcepoint"
+ },
+ "support": {
+ "tier": "Community",
+ "name": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "CommonSecurityLog",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "ForcepointCasb",
+ "kind": "DataConnector"
+ },
+ {
+ "contentId": "ForcepointCasbAma",
+ "kind": "DataConnector"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -536,13 +626,13 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
- "instructions": []
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "instructions": []
+ "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+
},
{
"title": "Step C. Validate connection",
@@ -565,11 +655,11 @@
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
+ "title": "2. Secure your machine "
},
{
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
- "title": "5. Forcepoint integration installation guide "
+ "title": "3. Forcepoint integration installation guide "
}
],
"metadata": {
@@ -746,13 +836,13 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
- "instructions": []
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "instructions": []
+ "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+
},
{
"title": "Step C. Validate connection",
@@ -775,103 +865,17 @@
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
+ "title": "2. Secure your machine "
},
{
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
- "title": "5. Forcepoint integration installation guide "
+ "title": "3. Forcepoint integration installation guide "
}
],
"id": "[variables('_uiConfigId2')]"
}
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('workbookTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "ForcepointCASBWorkbook Workbook with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
- "location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook."
- },
- "properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Top 5 Users by Number of Failed Attempts
\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where TimeGenerated <= now()\\r\\n| extend outcome = coalesce(\\r\\n column_ifexists(\\\"EventOutcome\\\", \\\"\\\"),\\r\\n split(split(AdditionalExtensions, \\\";\\\", 2)[0], \\\"=\\\", 1)[0],\\r\\n \\\"\\\"\\r\\n )\\r\\n| extend reason = coalesce(\\r\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\r\\n split(split(AdditionalExtensions, \\\";\\\", 3)[0], \\\"=\\\", 1)[0],\\r\\n \\\"\\\"\\r\\n )\\r\\n| where DeviceVendor == \\\"Forcepoint CASB\\\"\\r\\n| where DeviceProduct in (\\\"SaaS Security Gateway\\\", \\\"Cloud Service Monitoring\\\", \\\"CASB Admin audit log\\\")\\r\\n| where outcome ==\\\"Failure\\\" \\r\\n| summarize Count= count() by DestinationUserName| render barchart\",\"size\":0,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"\\r\\nTop 5 Users With The Highest Number Of Logs
\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where TimeGenerated <= now()\\r\\n| where DeviceVendor == \\\"Forcepoint CASB\\\"\\r\\n| where DeviceProduct in (\\\"SaaS Security Gateway\\\", \\\"Cloud Service Monitoring\\\", \\\"CASB Admin audit log\\\")\\r\\n| summarize Count = count() by DestinationUserName\\r\\n| top 5 by DestinationUserName| render barchart\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-ForcepointCASB\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
- "properties": {
- "description": "@{workbookKey=ForcepointCASBWorkbook; logoFileName=FP_Green_Emblem_RGB-01.svg; description=Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Forcepoint Cloud Access Security Broker (CASB); templateRelativePath=ForcepointCASB.json; subtitle=; provider=Forcepoint}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CASB",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "tier": "Community",
- "name": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "CommonSecurityLog",
- "kind": "DataType"
- },
- {
- "contentId": "ForcepointCasb",
- "kind": "DataConnector"
- }
- ]
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_workbookContentId1')]",
- "contentKind": "Workbook",
- "displayName": "[parameters('workbook1-name')]",
- "contentProductId": "[variables('_workbookcontentProductId1')]",
- "id": "[variables('_workbookcontentProductId1')]",
- "version": "[variables('workbookVersion1')]"
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
@@ -905,6 +909,11 @@
"dependencies": {
"operator": "AND",
"criteria": [
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
@@ -914,11 +923,6 @@
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
- },
- {
- "kind": "Workbook",
- "contentId": "[variables('_workbookContentId1')]",
- "version": "[variables('workbookVersion1')]"
}
]
},
diff --git a/Solutions/Forcepoint CASB/ReleaseNotes.md b/Solutions/Forcepoint CASB/ReleaseNotes.md
new file mode 100644
index 00000000000..80191e899af
--- /dev/null
+++ b/Solutions/Forcepoint CASB/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 31-08-2023 | Addition of new Forcepoint CASB AMA **Data Connector ** | |
+
+
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 918354e9fc3..133d7ffa60f 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -947,7 +947,8 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "ForcepointCasb"
+ "ForcepointCasb",
+ "ForcepointCasbAma"
],
"previewImagesFileNames": [
"ForcepointCASBWhite.png",