diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_details.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_details.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_details.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_details.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_results.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_results.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_results.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_results.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/New_Service_account.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/New_Service_account.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/New_Service_account.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/New_Service_account.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/access_control.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/access_control.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/access_control.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/access_control.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/add_option.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/add_option.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/add_option.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/add_option.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/console_portal.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/console_portal.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/console_portal.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/console_portal.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/setting.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/setting.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/setting.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/setting.png diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json new file mode 100644 index 00000000000..ada411f2056 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json @@ -0,0 +1,123 @@ +[{ + "name": "PaloAltoPrismaCloudCWPP_DCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "properties": { + "streamDeclarations": { + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi": { + "columns": [ + { + "name": "_id", + "type": "string", + "description": "_id value." + }, + { + "name": "time", + "type": "datetime", + "description": "The time at which the data was generated" + }, + { + "name": "fqdn", + "type": "string", + "description": "Fqdn." + }, + { + "name": "containerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "containerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "imageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "profileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "accountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "serialNum", + "type": "int", + "description": "Serial Number of event." + }, + { + "name": "acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "type", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "imageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster", + "outputStream": "Custom-PrismaCloudCompute_CL" + } + ] + } +}] \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json new file mode 100644 index 00000000000..da741638faf --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json @@ -0,0 +1,118 @@ +{ + "name": "PrismaCloudComputeDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "PaloAltoPrismaCloudCWPP", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "PrismaCloudCompute_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Prisma Compute Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Prisma Compute Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by Event Type", + "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "PrismaCloudCompute API Key", + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Path to console", + "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", + "type": "text", + "name": "domainname" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Prisma Access Key (API)", + "placeholder": "Prisma Access Key (API)", + "type": "text", + "name": "username" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Secret", + "placeholder": "Secret", + "type": "password", + "name": "password" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json new file mode 100644 index 00000000000..830c5002f61 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json @@ -0,0 +1,48 @@ +[{ + "type": "Microsoft.SecurityInsights/dataConnectors", + "apiVersion": "2022-10-01-preview", + "name": "apiRequest", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "PaloAltoPrismaCloudCWPP", + "dataType": "PrismaCloudCompute_CL", + "dcrConfig": { + "streamName": "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi", + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "auth": { + "type": "Basic", + "userName": "[[parameters('username')]", + "password" : "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "startTimeAttributeName": "from", + "endTimeAttributeName": "to", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "sort": "time" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } +}] \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/table.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/table.json new file mode 100644 index 00000000000..6c230f9e665 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/table.json @@ -0,0 +1,104 @@ +[{ + "name": "PrismaCloudCompute_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "PrismaCloudCompute_CL", + "columns": [ + { + "name": "PrismaId", + "type": "string", + "description": "_id value." + }, + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "FQDN", + "type": "string", + "description": "Fqdn." + }, + { + "name": "ContainerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "ContainerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "ImageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "ProfileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "AccountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "SerialNumber", + "type": "int", + "description": "Serial Number." + }, + { + "name": "Acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "Category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "ResourceType", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "Audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "Collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "Hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "Cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "ImageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "Namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + } +}] \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/PrismaCloudCompute_CLV2.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json similarity index 69% rename from Solutions/PrismaCloudCompute/Data Connectors/PrismaCloudCompute_CLV2.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json index ccff445cd79..f174ebe5fde 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/PrismaCloudCompute_CLV2.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json @@ -1,8 +1,8 @@ { "id": "PrismaCloudComputeNativePoller", - "title": "Prisma Cloud Compute CWPP (using REST API)", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -61,13 +61,13 @@ "customs": [ { "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." } ] }, "instructionSteps": [ { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", "instructions": [ { "type": "Textbox", @@ -104,7 +104,7 @@ "type": "ConnectionToggleButton" } ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" } ] } \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/readme.md b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/readme.md similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/readme.md rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/readme.md diff --git a/Solutions/PrismaCloudCompute/Package/2.0.0.zip b/Solutions/Palo Alto Prisma Cloud CWPP/Package/2.0.0.zip similarity index 100% rename from Solutions/PrismaCloudCompute/Package/2.0.0.zip rename to Solutions/Palo Alto Prisma Cloud CWPP/Package/2.0.0.zip diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip b/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip new file mode 100644 index 00000000000..cc28f4c9510 Binary files /dev/null and b/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip differ diff --git a/Solutions/PrismaCloudCompute/Package/createUiDefinition.json b/Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json similarity index 69% rename from Solutions/PrismaCloudCompute/Package/createUiDefinition.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json index ba9b08256d7..ce3065d48b8 100644 --- a/Solutions/PrismaCloudCompute/Package/createUiDefinition.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Prisma Cloud Compute CWPP data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance." + "text": "This Solution installs the data connector for Palo Alto Prisma Cloud CWPP. You can get Palo Alto Prisma Cloud CWPP custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json b/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json new file mode 100644 index 00000000000..45c873f324d --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json @@ -0,0 +1,820 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "subscription": { + "defaultValue": "[last(split(subscription().id, '/'))]", + "type": "string", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "defaultValue": "[resourceGroup().name]", + "type": "string", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Palo Alto Prisma Cloud CWPP", + "_solutionVersion": "3.0.0", + "_solutionAuthor": "Microsoft", + "_packageIcon": "icon icon icon icon", + "solutionId": "azuresentinel.azure-sentinel-solution-prismacloudcompute", + "_solutionId": "[variables('solutionId')]", + "dataConnectorVersionConnectorDefinition": "1.0.0", + "dataConnectorVersionConnections": "1.0.0", + "uiConfig": "PaloAltoPrismaCloudCWPP", + "_uiConfig": "[variables('uiConfig')]", + "_dataConnectorContentIdConnectorDefinition": "PaloAltoPrismaCloudCWPP", + "dataConnectorTemplateNameConnectorDefinition": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]", + "_dataConnectorContentIdConnections": "PaloAltoPrismaCloudCWPPTemplateNameConnections", + "dataConnectorTemplateNameConnections": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]", + "_logAnalyticsTableId1": "PrismaCloudCompute_CL" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "displayName": "[variables('_solutionName')]", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnectorDefinition')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnectorDefinition')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfig')]", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "PrismaCloudCompute_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Prisma Compute Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Prisma Compute Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by Event Type", + "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Palo Alto Prisma Cloud CWPP API Key", + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about Palo Alto Prisma Cloud CWPP SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/readme.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Path to console", + "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", + "type": "text", + "name": "domainname" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Prisma Access Key (API)", + "placeholder": "Prisma Access Key (API)", + "type": "text", + "name": "username" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Secret", + "placeholder": "Secret", + "type": "password", + "name": "password" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "PaloAltoPrismaCloudCWPP_DCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "streamDeclarations": { + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi": { + "columns": [ + { + "name": "_id", + "type": "string", + "description": "_id value." + }, + { + "name": "time", + "type": "datetime", + "description": "The time at which the data was generated" + }, + { + "name": "fqdn", + "type": "string", + "description": "Fqdn." + }, + { + "name": "containerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "containerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "imageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "profileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "accountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "serialNum", + "type": "int", + "description": "Serial Number of event." + }, + { + "name": "acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "type", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "imageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster", + "outputStream": "Custom-PrismaCloudCompute_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } + }, + { + "name": "[variables('_logAnalyticsTableId1')]", + "apiVersion": "2021-03-01-privatepreview", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "[variables('_logAnalyticsTableId1')]", + "columns": [ + { + "name": "PrismaId", + "type": "string", + "description": "_id value." + }, + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "FQDN", + "type": "string", + "description": "Fqdn." + }, + { + "name": "ContainerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "ContainerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "ImageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "ProfileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "AccountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "SerialNumber", + "type": "int", + "description": "Serial Number." + }, + { + "name": "Acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "Category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "ResourceType", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "Audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "Collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "Hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "Cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "ImageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "Namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('_solutionVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfig')]", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "PrismaCloudCompute_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Prisma Compute Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Prisma Compute Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by Event Type", + "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Palo Alto Prisma Cloud CWPP API Key", + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about Palo Alto Prisma Cloud CWPP SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud/Data%20Connectors/readme.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Path to console", + "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", + "type": "text", + "name": "domainname" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Prisma Access Key (API)", + "placeholder": "Prisma Access Key (API)", + "type": "text", + "name": "username" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Secret", + "placeholder": "Secret", + "type": "password", + "name": "password" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnectorDefinition')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "domainname": { + "defaultValue": "domainname", + "type": "string", + "minLength": 1 + }, + "username": { + "defaultValue": "username", + "type": "string", + "minLength": 1 + }, + "password": { + "defaultValue": "password", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections": "[variables('_dataConnectorContentIdConnections')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'apiRequest')]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "dataType": "PrismaCloudCompute_CL", + "dcrConfig": { + "streamName": "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "Basic", + "userName": "[[parameters('username')]", + "password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "startTimeAttributeName": "from", + "endTimeAttributeName": "to", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "sort": "time" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('_solutionVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", + "location": "[parameters('workspace-location')]", + "apiVersion": "2023-04-01-preview", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "[variables('_solutionAuthor')]", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "version": "1.0.0" + } + ] + }, + "firstPublishDate": "2022-06-24", + "providers": [ + "[variables('_solutionAuthor')]" + ], + "categories": { + "domains": [ + "Cloud Provider" + ] + }, + "contentKind": "Solution", + "packageId": "[variables('_solutionId')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "displayName": "[variables('_solutionName')]", + "publisherDisplayName": "[variables('_solutionId')]", + "descriptionHtml": "
Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Palo Alto Prisma Cloud CWPP solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "icon": "[variables('_packageIcon')]" + } + } + ] +} diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md b/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md new file mode 100644 index 00000000000..4a2ccc0ac61 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 10-10-2023 | Added new files to support CCP CLV2 and its package | \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/SolutionMetadata.json b/Solutions/Palo Alto Prisma Cloud CWPP/SolutionMetadata.json new file mode 100644 index 00000000000..6456439f9f7 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-prismacloudcompute", + "firstPublishDate": "2022-06-24", + "providers": ["Microsoft"], + "categories": { + "domains" : ["Cloud Provider"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + } +} \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json b/Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json new file mode 100644 index 00000000000..723037bd854 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json @@ -0,0 +1,16 @@ +{ + "Name": "Palo Alto Prisma Cloud CWPP", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Prisma Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)", + "Data Connectors": [ + "Data Connectors/PrismaCloudCompute_CLV2.json", + "Data Connectors/connectorDefinition.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Palo Alto Prisma Cloud CWPP", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "createPackage": false +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Package/mainTemplate.json b/Solutions/PrismaCloudCompute/Package/mainTemplate.json deleted file mode 100644 index 0919215b3db..00000000000 --- a/Solutions/PrismaCloudCompute/Package/mainTemplate.json +++ /dev/null @@ -1,866 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "defaultValue": "[resourceGroup().location]", - "minLength": 1, - "type": "string", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "subscription": { - "defaultValue": "[last(split(subscription().id, '/'))]", - "type": "string", - "metadata": { - "description": "subscription id where Microsoft Sentinel is setup" - } - }, - "resourceGroupName": { - "defaultValue": "[resourceGroup().name]", - "type": "string", - "metadata": { - "description": "resource group name where Microsoft Sentinel is setup" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-prismacloudcompute-preview", - "_solutionId": "[variables('solutionId')]", - "dataCollectionRuleImmutableId": "data collection rule immutableId", - "_dataCollectionRuleImmutableId": "[variables('dataCollectionRuleImmutableId')]", - "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", - "_dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "PrismaCloudComputeNativePoller", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "PrismaCloudComputeNativePoller", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "dataConnectorContentId2": "PrismaCloudComputeIncidentsPoller", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2')))]", - "dataConnectorVersion2": "1.0.0", - "logAnalyticsTableId1": "PrismaCloudCompute_CL", - "streamName1": "Custom-PrismaCloudCompute_IncidentsApi", - "dataCollectionRuleId": "PrismaCloudComputeDCR" - }, - "resources": [ - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template", - "displayName": "PrismaCloudCompute template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Prisma Cloud Compute CWPP (using REST API)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", - "graphQueriesTableName": "PrismaCloudCompute_CL", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "Prisma Compute Events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "Get Sample of Prisma Compute Events", - "query": "{{graphQueriesTableName}}\n | take 10" - }, - { - "description": "Total Events by Event Type", - "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." - } - ] - }, - "instructionSteps": [ - { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", - "instructions": [ - { - "type": "Textbox", - "parameters": { - "label": "Path to console", - "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", - "type": "text", - "name": "domainname" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Prisma Access Key (API)", - "placeholder": "Prisma Access Key (API)", - "type": "text", - "name": "username" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Secret", - "placeholder": "Secret", - "type": "password", - "name": "password" - } - }, - { - "parameters": { - "label": "toggle", - "name": "toggle" - }, - "type": "ConnectionToggleButton" - } - ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" - } - ] - }, - "connectionsConfig": { - "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]", - "templateSpecVersion": "[variables('dataConnectorVersion2')]" - } - } - }, - { - "name": "[variables('logAnalyticsTableId1')]", - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2021-03-01-privatepreview", - "location": "[parameters('workspace-location')]", - "tags": {}, - "properties": { - "schema": { - "name": "[variables('logAnalyticsTableId1')]", - "columns": [ - { - "name": "PrismaId", - "type": "string", - "description": "_id value." - }, - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true, - "description": "The timestamp (UTC) reflecting the time in which the event was generated." - }, - { - "name": "FQDN", - "type": "string", - "description": "Fqdn." - }, - { - "name": "ContainerName", - "type": "string", - "description": "Container Name." - }, - { - "name": "ContainerID", - "type": "string", - "description": "Container Id." - }, - { - "name": "ImageID", - "type": "string", - "description": "Image Id." - }, - { - "name": "ProfileID", - "type": "string", - "description": "Profile Id." - }, - { - "name": "AccountID", - "type": "string", - "description": "Account Id." - }, - { - "name": "SerialNumber", - "type": "int", - "description": "Serial Number." - }, - { - "name": "Acknowledged", - "type": "boolean", - "description": "Acknowledged or not." - }, - { - "name": "Category", - "type": "string", - "description": "Describes the type of attack." - }, - { - "name": "ResourceType", - "type": "string", - "description": "The Type of resource." - }, - { - "name": "Audits", - "type": "dynamic", - "description": "The audit information." - }, - { - "name": "Collections", - "type": "dynamic", - "description": "The collection of resources." - }, - { - "name": "Hostname", - "type": "string", - "description": "Name of the node initiated the alert." - }, - { - "name": "Cluster", - "type": "string", - "description": "Name of the cluster the node belongs" - }, - { - "name": "ImageName", - "type": "string", - "description": "Name of the image involved for the alert" - }, - { - "name": "Namespace", - "type": "string", - "description": "This is the grouping of the nodes in a cluster." - } - ] - } - } - }, - { - "name": "[variables('dataCollectionRuleId')]", - "apiVersion": "2021-09-01-preview", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", - "properties": { - "dataCollectionEndpointId": "[variables('_dataCollectionEndpointId')]", - "streamDeclarations": { - "[variables('streamName1')]": { - "columns": [ - { - "name": "_id", - "type": "string", - "description": "_id value." - }, - { - "name": "time", - "type": "datetime", - "description": "The time at which the data was generated" - }, - { - "name": "fqdn", - "type": "string", - "description": "Fqdn." - }, - { - "name": "containerName", - "type": "string", - "description": "Container Name." - }, - { - "name": "containerID", - "type": "string", - "description": "Container Id." - }, - { - "name": "imageID", - "type": "string", - "description": "Image Id." - }, - { - "name": "profileID", - "type": "string", - "description": "Profile Id." - }, - { - "name": "accountID", - "type": "string", - "description": "Account Id." - }, - { - "name": "serialNum", - "type": "int", - "description": "Serial Number of event." - }, - { - "name": "acknowledged", - "type": "boolean", - "description": "Acknowledged or not." - }, - { - "name": "category", - "type": "string", - "description": "Describes the type of attack." - }, - { - "name": "type", - "type": "string", - "description": "The Type of resource." - }, - { - "name": "audits", - "type": "dynamic", - "description": "The audit information." - }, - { - "name": "collections", - "type": "dynamic", - "description": "The collection of resources." - }, - { - "name": "hostname", - "type": "string", - "description": "Name of the node initiated the alert." - }, - { - "name": "cluster", - "type": "string", - "description": "Name of the cluster the node belongs" - }, - { - "name": "imageName", - "type": "string", - "description": "Name of the image involved for the alert" - }, - { - "name": "namespace", - "type": "string", - "description": "This is the grouping of the nodes in a cluster." - } - ] - } - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "[variables('streamName1')]" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster", - "outputStream": "[concat('Custom-', variables('logAnalyticsTableId1'))]" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Palo Alto Prisma Cloud Compute", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - ] - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "apiVersion": "2022-09-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Prisma Cloud Compute CWPP (using REST API)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", - "graphQueriesTableName": "PrismaCloudCompute_CL", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "Prisma Compute Events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "Get Sample of Prisma Compute Events", - "query": "{{graphQueriesTableName}}\n | take 10" - }, - { - "description": "Total Events by Event Type", - "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." - } - ] - }, - "instructionSteps": [ - { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", - "instructions": [ - { - "type": "Textbox", - "parameters": { - "label": "Path to console", - "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", - "type": "text", - "name": "domainname" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Prisma Access Key (API)", - "placeholder": "Prisma Access Key (API)", - "type": "text", - "name": "username" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Secret", - "placeholder": "Secret", - "type": "password", - "name": "password" - } - }, - { - "parameters": { - "label": "toggle", - "name": "toggle" - }, - "type": "ConnectionToggleButton" - } - ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" - } - ] - }, - "connectionsConfig": { - "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]", - "templateSpecVersion": "[variables('dataConnectorVersion2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Palo Alto Prisma Cloud Compute", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "LogicAppsCustomConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template", - "displayName": "PrismaCloudCompute template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName2'))]" - ], - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "LogicAppsCustomConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": { - "domainname": { - "defaultValue": "domainname", - "type": "string", - "minLength": 1, - "metadata": { - "description": "domainname" - } - }, - "password": { - "defaultValue": "password", - "type": "string", - "minLength": 1, - "metadata": { - "description": "password" - } - }, - "username": { - "defaultValue": "username", - "type": "string", - "minLength": 1, - "metadata": { - "description": "username" - } - }, - "connectorDefinitionName": { - "defaultValue": "connectorDefinitionName", - "type": "string", - "minLength": 1, - "metadata": { - "description": "connectorDefinitionName" - } - }, - "workspace": { - "defaultValue": "[parameters('workspace')]", - "type": "string" - }, - "location": { - "defaultValue": "", - "type": "string" - }, - "workspaceName": { - "defaultValue": "", - "type": "string" - }, - "dcrConfig": { - "type": "object", - "defaultValue": { - "dataCollectionEndpoint": "data collection Endpoint", - "dataCollectionRuleImmutableId": "[variables('_dataCollectionRuleImmutableId')]" - } - } - }, - "variables": { - "_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]", - "_dataConnectorEventsId1": "incidents" - }, - "resources": [ - { - "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorEventsId1'))]", - "apiVersion": "2022-12-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", - "dcrConfig": { - "streamName": "[variables('streamName1')]", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "dataType": "[variables('logAnalyticsTableId1')]", - "auth": { - "type": "Basic", - "password": "[[parameters('password')]", - "userName": "[[parameters('username')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]", - "rateLimitQPS": 10, - "queryWindowInMin": 5, - "httpMethod": "Get", - "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", - "startTimeAttributeName": "from", - "endTimeAttributeName": "to", - "retryCount": 3, - "timeoutInSeconds": 60, - "headers": { - "Accept": "application/json", - "User-Agent": "Scuba" - }, - "queryParameters": { - "sort": "time" - } - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSizeParaName": "limit" - }, - "response": { - "eventsJsonPaths": [ - "$" - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorEventsId1'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Palo Alto Prisma Cloud Compute", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "2.0.0", - "kind": "Solution", - "contentSchemaVersion": "2.0.0", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Prisma Cloud compute", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - ] - }, - "firstPublishDate": "2022-06-24", - "providers": [ - "Microsoft" - ], - "categories": { - "domains": [ - "Cloud Provider" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} \ No newline at end of file