diff --git a/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json b/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json new file mode 100644 index 00000000000..ce311ecc984 --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json @@ -0,0 +1,103 @@ +{ +"id": "GoogleSCCDefinition", +"title": "Google Security Command Center", +"publisher": "Microsoft", +"descriptionMarkdown": "The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.", +"graphQueriesTableName": "GoogleCloudSCC", +"graphQueries": [ + { + "metricName": "Total events received", + "legend": "Google Security Command Center", + "baseQuery": "{{graphQueriesTableName}}" + } +], +"sampleQueries": [ + { + "description": "Get Sample of Google SCC", + "query": "{{graphQueriesTableName}}\n | take 10" + } +], +"dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } +], +"connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } +], +"availability": { + "status": 1, + "isPreview": true +}, +"permissions": { + "tenant": null, + "licenses": null, + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "read": false, + "write": false, + "delete": false, + "action": true + } + } + ] +}, +"instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "PoolId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Connect new collectors \n To enable GCP SCC for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ] +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Security Command Center/Data/Solution_Google Cloud Platform Security Command Center.json b/Solutions/Google Cloud Platform Security Command Center/Data/Solution_Google Cloud Platform Security Command Center.json new file mode 100644 index 00000000000..f1a5f4e1ecd --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/Data/Solution_Google Cloud Platform Security Command Center.json @@ -0,0 +1,14 @@ +{ + "Name": "Google Cloud Platform Security Command Center", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.", + "Data Connectors": [ + "Data Connectors/GCPSecurityCommandCenter.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Security Command Center\\", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": true, + "Metadata": "SolutionMetadata.json" +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Security Command Center/Data/system_generated_metadata.json b/Solutions/Google Cloud Platform Security Command Center/Data/system_generated_metadata.json new file mode 100644 index 00000000000..6995a9e4881 --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/Data/system_generated_metadata.json @@ -0,0 +1,29 @@ +{ + "Name": "Google Cloud Platform Security Command Center", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Security Command Center\\", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": true, + "Metadata": "SolutionMetadata.json", + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-gcpsecuritycommandcenter", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ] + }, + "firstPublishDate": "2023-09-11", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/GCPSecurityCommandCenter.json\"\n]" +} diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/3.0.0.zip b/Solutions/Google Cloud Platform Security Command Center/Package/3.0.0.zip new file mode 100644 index 00000000000..fac05a451e0 Binary files /dev/null and b/Solutions/Google Cloud Platform Security Command Center/Package/3.0.0.zip differ diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/createUiDefinition.json b/Solutions/Google Cloud Platform Security Command Center/Package/createUiDefinition.json new file mode 100644 index 00000000000..6497ef1029b --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/Package/createUiDefinition.json @@ -0,0 +1,85 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Google Cloud Platform Security Command Center. You can get Google Cloud Platform Security Command Center custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json b/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json new file mode 100644 index 00000000000..1048158d811 --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json @@ -0,0 +1,598 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "subscription": { + "defaultValue": "[last(split(subscription().id, '/'))]", + "type": "string", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "defaultValue": "[resourceGroup().name]", + "type": "string", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Google Cloud Security Command Center", + "_solutionVersion": "3.0.0", + "_solutionAuthor": "Microsoft", + "_packageIcon": "google_logo", + "solutionId" : "azuresentinel.azure-sentinel-solution-gcpscclogs-api", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "GoogleSCCDefinition", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorVersionConnectorDefinition": "3.0.0", + "dataConnectorVersionConnections": "3.0.0", + "_dataConnectorContentIdConnectorDefinition": "[variables('uiConfigId1')]", + "dataConnectorTemplateNameConnectorDefinition": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]", + "_dataConnectorContentIdConnections": "GoogleSCCTemplateConnections", + "dataConnectorTemplateNameConnections": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]", + "dataType": "GoogleCloudSCC", + "streamName": "SENTINEL_GOOGLE_CLOUD_SCC", + "dataCollectionRuleId": "GoogleCloudSCC" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "displayName": "Google Security Command Center (Preview)", + "contentKind": "DataConnector", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('dataConnectorTemplateNameConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]", + "id": "[concat(substring(variables('_solutionId'), 0, 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('dataConnectorTemplateNameConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnectorDefinition')]", + "parameters": { + + }, + "variables": { + + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Google Security Command Center (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.", + "graphQueriesTableName": "GoogleCloudSCC", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Google Security Command Center", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Google SCC", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "read": false, + "write": false, + "delete": false, + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "PoolId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Connect new collectors \n To enable GCP SCC for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + }} + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnectorDefinition')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "[variables('dataCollectionRuleId')]", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-GoogleCloudSCC" + ], + "destinations": [ + "clv2ws1" + ] + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } + } + + + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('_solutionVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Google Security Command Center (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.", + "graphQueriesTableName": "GoogleCloudSCC", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Google Security Command Center", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Google SCC", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "read": false, + "write": false, + "delete": false, + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "PoolId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Connect new collectors \n To enable GCP SCC for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + }} + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnectorDefinition')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "displayName": "[variables('_solutionName')]", + "contentKind": "ResourcesDataConnector", + "id": "[concat(substring(variables('_solutionId'), 0, 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections')]", + "parameters": { + "GCPProjectId": { + "type": "String", + "minLength": 4 + }, + "GCPProjectNumber": { + "type": "String", + "minLength": 1 + }, + "GCPWorkloadIdentityProviderId": { + "type": "String" + }, + "GCPServiceAccountEmail": { + "type": "String", + "minLength": 1 + }, + "GCPSubscriptionName": { + "type": "String", + "minLength": 3 + }, + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1, + "metadata": { + "description": "connectorDefinitionName" + } + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "type": "object", + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + } + }, + "guidValue": { + "type": "string", + "defaultValue": "[[newGuid()]" + } + }, + "variables": { + "_dataConnectorContentIdConnections": "[variables('_dataConnectorContentIdConnections')]", + "connectorName": "[[concat('GCPAuditLogs', parameters('guidValue'))]" + + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('connectorName'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GCP", + "properties": { + "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "dcrConfig": { + "streamName": "[variables('streamName')]", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "[variables('dataType')]", + "auth": { + "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]", + "projectNumber": "[[parameters('GCPProjectNumber')]", + "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]" + }, + "request": { + "projectId": "[[parameters('GCPProjectId')]", + "subscriptionNames": [ + "[[parameters('GCPSubscriptionName')]" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('_solutionVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", + "location": "[parameters('workspace-location')]", + "apiVersion": "2023-04-01-preview", + "properties": { + "version": "[variables('_solutionVersion')]", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "[variables('_solutionAuthor')]", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('dataConnectorVersionConnectorDefinition')]", + "version": "[variables('_dataConnectorContentIdConnectorDefinition')]" + } + ] + }, + "firstPublishDate": "2022-06-24", + "providers": [ + "[variables('_solutionAuthor')]" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ] + }, + "contentKind": "Solution", + "packageId": "[variables('_solutionId')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "displayName": "[variables('_solutionName')]", + "publisherDisplayName": "[variables('_solutionId')]", + "descriptionHtml": "test", + "icon": "[variables('_packageIcon')]" + } + } + ] +} diff --git a/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md b/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md new file mode 100644 index 00000000000..4605c7dcd6e --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 11-09-2023 | Initial solution release | diff --git a/Solutions/Google Cloud Platform Security Command Center/SolutionMetadata.json b/Solutions/Google Cloud Platform Security Command Center/SolutionMetadata.json new file mode 100644 index 00000000000..a6c65a0a611 --- /dev/null +++ b/Solutions/Google Cloud Platform Security Command Center/SolutionMetadata.json @@ -0,0 +1,19 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-gcpscclogs-api", + "firstPublishDate": "2023-09-11", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file