Skip to content

Commit

Permalink
Merge pull request #9186 from Azure/prisma_cloud_compute_ccp_package
Browse files Browse the repository at this point in the history 
Prisma Cloud Compute Solution Package With CCP CLV2
  • Loading branch information
@v-amolpatil
v-amolpatil authored Oct 31, 2023
2 parents 87a1470 + 9521587 commit e42556b
Show file tree
Hide file tree
Showing 21 changed files with 1,254 additions and 873 deletions.
0 ...a Connectors/Images/Accesskey_details.png → ...a Connectors/Images/Accesskey_details.png
View file
File renamed without changes
0 ...a Connectors/Images/Accesskey_results.png → ...a Connectors/Images/Accesskey_results.png
View file
File renamed without changes
0 ...Connectors/Images/New_Service_account.png → ...Connectors/Images/New_Service_account.png
View file
File renamed without changes
0 ...Data Connectors/Images/access_control.png → ...Data Connectors/Images/access_control.png
View file
File renamed without changes
0 ...ute/Data Connectors/Images/add_option.png → ...WPP/Data Connectors/Images/add_option.png
View file
File renamed without changes
0 ...Data Connectors/Images/console_portal.png → ...Data Connectors/Images/console_portal.png
View file
File renamed without changes
0 ...ompute/Data Connectors/Images/setting.png → ...d CWPP/Data Connectors/Images/setting.png
View file
File renamed without changes
123 changes: 123 additions & 0 deletions Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
[{
"name": "PaloAltoPrismaCloudCWPP_DCR",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"properties": {
"streamDeclarations": {
"Custom-PaloAltoPrismaCloudCWPP_IncidentsApi": {
"columns": [
{
"name": "_id",
"type": "string",
"description": "_id value."
},
{
"name": "time",
"type": "datetime",
"description": "The time at which the data was generated"
},
{
"name": "fqdn",
"type": "string",
"description": "Fqdn."
},
{
"name": "containerName",
"type": "string",
"description": "Container Name."
},
{
"name": "containerID",
"type": "string",
"description": "Container Id."
},
{
"name": "imageID",
"type": "string",
"description": "Image Id."
},
{
"name": "profileID",
"type": "string",
"description": "Profile Id."
},
{
"name": "accountID",
"type": "string",
"description": "Account Id."
},
{
"name": "serialNum",
"type": "int",
"description": "Serial Number of event."
},
{
"name": "acknowledged",
"type": "boolean",
"description": "Acknowledged or not."
},
{
"name": "category",
"type": "string",
"description": "Describes the type of attack."
},
{
"name": "type",
"type": "string",
"description": "The Type of resource."
},
{
"name": "audits",
"type": "dynamic",
"description": "The audit information."
},
{
"name": "collections",
"type": "dynamic",
"description": "The collection of resources."
},
{
"name": "hostname",
"type": "string",
"description": "Name of the node initiated the alert."
},
{
"name": "cluster",
"type": "string",
"description": "Name of the cluster the node belongs"
},
{
"name": "imageName",
"type": "string",
"description": "Name of the image involved for the alert"
},
{
"name": "namespace",
"type": "string",
"description": "This is the grouping of the nodes in a cluster."
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-PaloAltoPrismaCloudCWPP_IncidentsApi"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster",
"outputStream": "Custom-PrismaCloudCompute_CL"
}
]
}
}]
118 changes: 118 additions & 0 deletions ...to Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
{
"name": "PrismaCloudComputeDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "PaloAltoPrismaCloudCWPP",
"title": "Palo Alto Prisma Cloud CWPP (using REST API)",
"publisher": "Microsoft",
"descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.",
"graphQueriesTableName": "PrismaCloudCompute_CL",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "Prisma Compute Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of Prisma Compute Events",
"query": "{{graphQueriesTableName}}\n | take 10"
},
{
"description": "Total Events by Event Type",
"query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "PrismaCloudCompute API Key",
"description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)."
}
]
},
"instructionSteps": [
{
"description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Path to console",
"placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}",
"type": "text",
"name": "domainname"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Prisma Access Key (API)",
"placeholder": "Prisma Access Key (API)",
"type": "text",
"name": "username"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Secret",
"placeholder": "Secret",
"type": "password",
"name": "password"
}
},
{
"parameters": {
"label": "toggle",
"name": "toggle"
},
"type": "ConnectionToggleButton"
}
],
"title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel"
}
]
}
}
}
48 changes: 48 additions & 0 deletions ...to Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
[{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2022-10-01-preview",
"name": "apiRequest",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "PaloAltoPrismaCloudCWPP",
"dataType": "PrismaCloudCompute_CL",
"dcrConfig": {
"streamName": "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi",
"dataCollectionEndpoint": "data collection Endpoint",
"dataCollectionRuleImmutableId": "data collection rule immutableId"
},
"auth": {
"type": "Basic",
"userName": "[[parameters('username')]",
"password" : "[[parameters('password')]"
},
"request": {
"apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]",
"rateLimitQPS": 10,
"queryWindowInMin": 5,
"httpMethod": "Get",
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"startTimeAttributeName": "from",
"endTimeAttributeName": "to",
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba"
},
"queryParameters": {
"sort": "time"
}
},
"paging": {
"pagingType": "Offset",
"offsetParaName": "offset",
"pageSizeParaName": "limit"
},
"response": {
"eventsJsonPaths": [
"$"
]
}
}
}]
Loading

0 comments on commit e42556b

Please sign in to comment.