Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doppel solution #11459

Merged
merged 17 commits into from
Dec 11, 2024
Merged

Doppel solution #11459

merged 17 commits into from
Dec 11, 2024

Conversation

anantm-metron
Copy link
Contributor

Required items, please complete

Change(s):

  • Created a Doppel folder inside Solutions, with subfolders for Data Connectors and Workbooks.
  • Added the following files:
    • Data Connectors:
      • Connector_Doppel.json
      • DeployToAzure.json
    • Workbooks:
      • Doppel.json
      • Preview images for the workbooks.
    • Logos:
      • doppel.svg
    • Sample Data:
      • Doppel_Logs.json for sample data ingestion.

Reason for Change(s):

  • Initial commit: To submit Doppel Data Connectors and Workbooks for review by the Microsoft Sentinel team as part of the integration process.

Version Updated:

  • No
  • It does not involve analytic rule or detection templates that would require a version number.

Testing Completed:

  • Yes
  • Tested locally using a Microsoft Sentinel environment.
  • Validated that the Data Connectors and Workbooks function as expected when imported into Sentinel, and that the Sample Logs are correctly processed.

Checked that the validations are passing and have addressed any issues that are present:

  • Yes, all validations have passed.
  • There were no issues with the workbooks or data connectors after testing.

@anantm-metron anantm-metron requested review from a team as code owners November 20, 2024 13:37
@anantm-metron
Copy link
Contributor Author

@anantm-metron please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Doppel"

@anantm-metron
Sanitized emails in sample logs, removed comments from JSON, updated …
f2d3143 
…SVG, and updated IDs in Doppel workbook and connector files
@v-prasadboke v-prasadboke self-assigned this Nov 21, 2024
@v-prasadboke v-prasadboke added Connector Connector specialty review needed New Solution For new Solutions which are new to Microsoft Sentinel labels Nov 21, 2024
@v-prasadboke
Copy link
Contributor

v-prasadboke commented Nov 28, 2024
edited
Loading

Hello @anantm-metron,

  1. Update the branch from master

  2. Please create a input file which will located in Data folder.
    This will file will consist basic details of the Solution and listed content in the Solution.

  3. Add Solutionmetadata file which will consist metadata details of the Solution.
    For input file and solution metadata please refer - https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Agari

  4. Add workbook metadata to this Location - https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

  5. Workbook images added are B&W, Add colorful image. For each image added, add it with white and black background.

  6. Can you specify what kind of Connector is this. Is this a custom connector or of kind CCP.
    I'm confused about the azuredeploy file you added - if possible please specify

  7. Also please provide write access to the branch.

@anantm-metron anantm-metron requested review from a team as code owners December 2, 2024 13:40
@anantm-metron
Copy link
Contributor Author

Hi @v-prasadboke ,

Thanks for the review! I've addressed the comments as follows:

  1. Solution Input File: Created in the Data folder with solution details and listed content.
  2. Solution Metadata: Added the metadata file, following the Agari solution example.
  3. Workbook Metadata: Updated the workbook metadata as per the reference.
  4. Workbook Images: Added colorful images with white and black backgrounds.
  5. Connector Type: This is a Custom Data Connector for Doppel.
  6. azuredeploy File: The DeployToAzure.json is an ARM template that configures a DCR-based custom connector, enabling one-click deployment to create the necessary DCE, DCR, and custom Log Analytics table for the Doppel connector, eliminating manual setup steps.
  7. Write Access: Provided write access to the branch.

Let me know if you need further changes!

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 3, 2024
View reviewed changes
Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py Dismissed Show dismissed Hide dismissed
Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py Dismissed Show dismissed Hide dismissed
Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py Dismissed Show dismissed Hide dismissed
Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py Dismissed Show dismissed Hide dismissed
Tools/Syslog-cef-data-replicator/syslogfromraw.py Outdated
syslog_ext[field] = ("{}{}{}".format(field,KVDelimiter,extenstion_data[field]))

prefixes = syslog_header
return_message = template.format(priority=syslog_header['priority'], version=syslog_header['version'],ISOTimeStamp=syslog_header['ISOTimeStamp'],hostName=syslog_header['hostName'],restofmessage=syslog_header['restofmessage'] )

Check warning

Code scanning / CodeQL

Unused named argument in formatting call Warning

Surplus named argument for string format. An argument named 'version' is provided, but it is not required by
format "{hostName} {restofmessage}"
Loading
.
Surplus named argument for string format. An argument named 'ISOTimeStamp' is provided, but it is not required by
format "{hostName} {restofmessage}"
Loading
.
Surplus named argument for string format. An argument named 'priority' is provided, but it is not required by
format "{hostName} {restofmessage}"
Loading
.
@v-prasadboke
Copy link
Contributor

v-prasadboke commented Dec 3, 2024
edited
Loading

Hello @anantm-metron, I have added some permission in data connector
Please check once and act as needed

v-prasadboke
v-prasadboke previously approved these changes Dec 3, 2024
View reviewed changes
v-atulyadav
v-atulyadav previously approved these changes Dec 3, 2024
View reviewed changes
@v-prasadboke
Copy link
Contributor

Hello @anantm-metron, Please create a custom table schema for mentioned table in workbook
for ref - https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

v-prasadboke
v-prasadboke previously approved these changes Dec 6, 2024
View reviewed changes
@v-atulyadav v-atulyadav merged commit 7b57f56 into Azure:master Dec 11, 2024
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v-prasadboke v-prasadboke v-prasadboke approved these changes

@v-atulyadav v-atulyadav v-atulyadav approved these changes

Assignees

@v-prasadboke v-prasadboke

Labels
Connector Connector specialty review needed New Solution For new Solutions which are new to Microsoft Sentinel
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anantm-metron @v-prasadboke @v-atulyadav