Merge branch 'Azure:master' into master

Azure · Aug 29, 2023 · 82efff4 · 82efff4
2 parents 713890f + d0bb1d2
commit 82efff4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 12 deletions.
diff --git a/DataConnectors/O365 Data/O365APItoAS-Template.zip b/DataConnectors/O365 Data/O365APItoAS-Template.zip
diff --git a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1 b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1
@@ -14,7 +14,7 @@ function Write-OMSLogfile {
     Given a  value pair hash table, this function will write the data to an OMS Log Analytics workspace.
     Certain variables, such as Customer ID and Shared Key are specific to the OMS workspace data is being written to.
     This function will not write to multiple OMS workspaces.  Build-signature and post-analytics function from Microsoft documentation
-    at https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-data-collector-api
+    at https://docs.microsoft.com/azure/log-analytics/log-analytics-data-collector-api
     .PARAMETER DateTime
     date and time for the log.  DateTime value
     .PARAMETER Type
@@ -104,14 +104,23 @@ function Write-OMSLogfile {
                 -method $method `
                 -contentType $ContentType `
                 -resource $resource
-            $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
+
+		    # Compatible with previous version
+		    if ([string]::IsNullOrEmpty($LAURI)){
+		    	$LAURI = "https://" + $CustomerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
+		    }
+		    else
+		    {
+		    	$LAURI = $LAURI + $resource + "?api-version=2016-04-01"
+		    }
+
             $headers = @{
                 "Authorization" = $signature;
                 "Log-Type" = $type;
                 "x-ms-date" = $rfc1123date
                 "time-generated-field" = $dateTime
             }
-            $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $ContentType -Headers $headers -Body $body -UseBasicParsing
+            $response = Invoke-WebRequest -Uri $LAURI -Method $method -ContentType $ContentType -Headers $headers -Body $body -UseBasicParsing
             Write-Verbose -message ('Post Function Return Code ' + $response.statuscode)
             return $response.statuscode
         }
@@ -150,9 +159,9 @@ function Get-AuthToken{
             [string]$TenantGUID
         )
     # Create app of type Web app / API in Azure AD, generate a Client Secret, and update the client id and client secret here
-    $loginURL = "https://login.microsoftonline.com/"
+    $loginURL = "$env:loginEndpoint"
     # Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section
-    $resource = "https://manage.office.com"
+    $resource = "https://$env:managementApi"
     # auth
     $body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
     $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
@@ -176,7 +185,7 @@ function Get-O365Data{
     $contentTypes = $env:contentTypes.split(",")
     #Loop for each content Type like Audit.General
     foreach($contentType in $contentTypes){
-        $listAvailableContentUri = "https://manage.office.com/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
+        $listAvailableContentUri = "https://$env:managementApi/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
         do {
             #List Available Content
             $contentResult = Invoke-RestMethod -Method GET -Headers $headerParams -Uri $listAvailableContentUri
@@ -232,6 +241,16 @@ if ($Timer.IsPastDue) {
     Write-Host "PowerShell timer is running late!"
 }
 
+$LAURI = $env:LAURI
+if (-Not [string]::IsNullOrEmpty($LAURI)){
+	if($LAURI.Trim() -notmatch 'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$')
+	{
+		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Log Analytics Uri." -ErrorAction Stop
+		Exit
+	}
+}
+
+
 #add last run time to blob file to ensure no missed packages
 $endTime = $currentUTCtime | Get-Date -Format yyyy-MM-ddTHH:mm:ss
 $azstoragestring = $Env:WEBSITE_CONTENTAZUREFILECONNECTIONSTRING

diff --git a/DataConnectors/O365 Data/azuredeploy.json b/DataConnectors/O365 Data/azuredeploy.json
@@ -37,12 +37,19 @@
         "workspaceKey": {
             "type": "string",
             "defaultValue": "<workspaceKey>"
+        },
+        "office365Environment": {
+            "type": "string",
+            "defaultValue": "manage.office.com",
+            "allowedValues": ["manage.office.com", "manage-gcc.office.com", "manage.office365.us", "manage.protection.apps.mil"]
         }
     },
     "variables": {
             "Name": "O365Data",
             "FunctionName": "[concat(variables('Name'), 'fn', uniqueString(resourceGroup().id, subscription().id))]",
             "StorageAccountName": "[tolower(concat(variables('Name'), 'sa', uniqueString(resourceGroup().id, subscription().id)))]",
+            "StorageSuffix": "[environment().suffixes.storage]",
+            "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceId')), '.ods.opinsights'))]",
             "KeyVaultName": "[concat(variables('Name'), 'kv', uniqueString(resourceGroup().id, subscription().id))]"
     },
     "resources": [
@@ -231,8 +238,8 @@
                         "FUNCTIONS_WORKER_RUNTIME": "powershell",
                         "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
                         "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
-                        "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
-                        "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
+                        "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
+                        "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
                         "WEBSITE_CONTENTSHARE": "[variables('StorageAccountName')]",
                         "clientID": "[parameters('clientID')]",
                         "clientSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), 'clientSecret')).SecretUriWithVersion, ')')]",
@@ -245,7 +252,10 @@
                         "workspaceID": "[parameters('workspaceID')]",
                         "workspaceKey": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), 'workspaceKey')).SecretUriWithVersion, ')')]",
                         "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-O365APItoAS-functionapp",
-                        "customLogName": "O365"
+                        "LAURI": "[variables('LogAnaltyicsUri')]",
+                        "customLogName": "O365",
+                        "managementApi": "[parameters('office365Environment')]",
+                        "loginEndpoint": "[environment().authentication.loginEndpoint]"
                     }
                 }
             ]

diff --git a/DataConnectors/O365 Data/azuredeploy.parameters.json b/DataConnectors/O365 Data/azuredeploy.parameters.json
@@ -2,9 +2,6 @@
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
-    "FunctionName": {
-      "value": "O365Data"
-    },
     "clientID": {
       "value": "<AADclientId>"
     },