From 03e7d9d1ef92aa580b700795eee115fb0224498f Mon Sep 17 00:00:00 2001 From: v-amolpatil Date: Tue, 10 Oct 2023 15:41:37 +0530 Subject: [PATCH 1/7] Added files and package --- .../Data Connectors/DCR.json | 123 ++ .../Data Connectors/connectorDefinition.json | 117 ++ .../Data Connectors/dataConnector1.json | 48 + .../Data Connectors/table.json | 104 ++ .../PrismaCloudCompute/Package/3.0.0.zip | Bin 0 -> 8185 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 1603 ++++++++--------- Solutions/PrismaCloudCompute/ReleaseNotes.md | 3 + .../PrismaCloudCompute/SolutionMetadata.json | 18 + .../PrismaCloudCompute/data/PrismaCloud.json | 15 + 10 files changed, 1205 insertions(+), 828 deletions(-) create mode 100644 Solutions/PrismaCloudCompute/Data Connectors/DCR.json create mode 100644 Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json create mode 100644 Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json create mode 100644 Solutions/PrismaCloudCompute/Data Connectors/table.json create mode 100644 Solutions/PrismaCloudCompute/Package/3.0.0.zip create mode 100644 Solutions/PrismaCloudCompute/ReleaseNotes.md create mode 100644 Solutions/PrismaCloudCompute/SolutionMetadata.json create mode 100644 Solutions/PrismaCloudCompute/data/PrismaCloud.json diff --git a/Solutions/PrismaCloudCompute/Data Connectors/DCR.json b/Solutions/PrismaCloudCompute/Data Connectors/DCR.json new file mode 100644 index 00000000000..0195df58f85 --- /dev/null +++ b/Solutions/PrismaCloudCompute/Data Connectors/DCR.json @@ -0,0 +1,123 @@ +{ + "name": "PrismaCloudComputeDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "properties": { + "streamDeclarations": { + "Custom-PrismaCloudCompute_IncidentsApi": { + "columns": [ + { + "name": "_id", + "type": "string", + "description": "_id value." + }, + { + "name": "time", + "type": "datetime", + "description": "The time at which the data was generated" + }, + { + "name": "fqdn", + "type": "string", + "description": "Fqdn." + }, + { + "name": "containerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "containerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "imageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "profileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "accountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "serialNum", + "type": "int", + "description": "Serial Number of event." + }, + { + "name": "acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "type", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "imageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-PrismaCloudCompute_IncidentsApi" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster", + "outputStream": "Custom-PrismaCloudCompute_CL" + } + ] + } +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json b/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json new file mode 100644 index 00000000000..0f6f907f720 --- /dev/null +++ b/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json @@ -0,0 +1,117 @@ +{ + "name": "PrismaCloudComputeDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "Prisma Cloud Compute CWPP (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "PrismaCloudCompute_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Prisma Compute Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Prisma Compute Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by Event Type", + "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "PrismaCloudCompute API Key", + "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Path to console", + "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", + "type": "text", + "name": "domainname" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Prisma Access Key (API)", + "placeholder": "Prisma Access Key (API)", + "type": "text", + "name": "username" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Secret", + "placeholder": "Secret", + "type": "password", + "name": "password" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json b/Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json new file mode 100644 index 00000000000..ed42927fbca --- /dev/null +++ b/Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json @@ -0,0 +1,48 @@ +{ + "type": "Microsoft.SecurityInsights/dataConnectors", + "apiVersion": "2022-10-01-preview", + "name": "apiRequest", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "connectorDefinitionName", + "dataType": "PrismaCloudCompute_CL", + "dcrConfig": { + "streamName": "Custom-PrismaCloudCompute_IncidentsApi", + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "auth": { + "type": "Basic", + "userName": "[[parameters('username')]", + "password" : "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "startTimeAttributeName": "from", + "endTimeAttributeName": "to", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "sort": "time" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/table.json b/Solutions/PrismaCloudCompute/Data Connectors/table.json new file mode 100644 index 00000000000..4cb576cc3c3 --- /dev/null +++ b/Solutions/PrismaCloudCompute/Data Connectors/table.json @@ -0,0 +1,104 @@ +{ + "name": "PrismaCloudCompute_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "tags": {}, + "properties": { + "schema": { + "name": "PrismaCloudCompute_CL", + "columns": [ + { + "name": "PrismaId", + "type": "string", + "description": "_id value." + }, + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "FQDN", + "type": "string", + "description": "Fqdn." + }, + { + "name": "ContainerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "ContainerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "ImageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "ProfileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "AccountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "SerialNumber", + "type": "int", + "description": "Serial Number." + }, + { + "name": "Acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "Category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "ResourceType", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "Audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "Collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "Hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "Cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "ImageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "Namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Package/3.0.0.zip b/Solutions/PrismaCloudCompute/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..cc39bab780853b6e04c3726e2d3ee7bccd3b8e1a GIT binary patch literal 8185 zcmZ{pRZtuNv!#ci!QI`1I|O%kcXt@vEf6fYySux)YhV)G-C=O|n}7G#)>iG_?uV}K zs_xg*bv|V|NGMDI000MQa+lSzyKsV1g8=~S(EtFPe^WCT3lldB4I6O_OB)9pHycL> zCRU{MZ28_ zAFr|VUFXdkVg6qkZoKOLYzRExopVP+Z<%z4Wy4xAXzS^1>m;hvID@c^M35&(-^^@C z72OTDOk4=_hRak;wiWxSGw`>uH@n*dOOyxUYj)F0nsQSl*JccM%i z|CK5#Tb}7&*3A8}wffHp}(%eG}NjT3AwWGUogI4WagF6SU1FzTIkKm7&uFLsMa_Q6>dl(wt%GMq z$I&0bTc_$ql{pRmj+e331!Xox{XB8mfFXTJ@R(T;-iF$O}purP2t_v0s7Ir$&n#uMmoVvQ{ zu9PCe4(0tVnXFthZ``cpbfd`vCfUXHx_{OFj*cc%7(9J}Mr)8P$$BVH@* z3lW(^yqKa*Qj$ln@-z45!kpjrfD}`Wa^%bkb^>@WS_lACK(7aj?j!5 z&v}XfLc>QY?H|h@i&PmV*TR{bGAhhL(OB(E!ez+!djM^s4FT>y} zP*5}I;pe=56a^F+?z!06M7YfvZ*RPlmTxQOYfD>m%|O<2L;G90>42Xv$JXXhey%Ea zNLVSXXwAP>|KN!1GFTEV>bt`Ps^V~uczJ)+B9&aGY+$pjuQ68dxhCb|{N$a)XAG}v zPSqNeKzr(F#heA&w=R3&iOJHmA?nLJY_{+BR=W24q2sDbm0>pqIhZq8B2O zrxmFI^Ab|B5{@wqUhjMPVIZo#)6|Ii!cp3t?(x4h{-K|6$J`9>@R)mCxSHu(HC*A!h2PIz)K~yIMmt|Otue~|qX{*8 zJC-Rn2KF><{H7HEalX|QiT3QikEPn>m(Vy0_LGS}XZ5~BZN2Mz5vt_CqK6szO0m!f z$EP?)dim?P5;LQ0c3(__nV0;G$C40n&TZ?H@M5x#-a@=~EB9lo#7z>};4Y{~>cy7E zK-X`w(z#yBwL5k8SN`KA_qEV^!El#(J9Uqu>%8@*hMy2WE_K(dHQv0#oEj!ny@+h* z0{T6irc)0l4DgBh=o=Zs8w$I-sB7%9`t2af$mm;XQ#ZTcI{;{ki}=SFRp%BBS-g|; z$Q)VQuC?{gxA%@u0_FdsL$scqc{}e74s73-u<=lA(!pK}WpSP~qC3ZHfeK~@v(cHagT>LFr4DJL5z7jk> zUZfF*W8T+deY4@#YgQvQs2kpK;vobfhBx(nzV?wJFP6>gm~FM@lG;r#hY4m(?{lkd zA%n3Vocl{39GyeT6pv~C9D`>jPL7h2{!r7DvEw*)UqNhkjed+a;pKja4sB!DWxMT! zKGZN0BYqutFb&$H9^{Cofc-%fdVP58Rr%ttH4>F^zB*N_nrvLE zD9-hDdhsm2Al=k68ksj89A4>@Q381-EK8n!T1PT$DRRG(O;ap zK7KJ9$SUd2aPS|L4i&uxvi$-@v7% z%*eYL9I9ju6Ev`FF_JUk;1QbKMe?Xf4^fF}`Hdt3d`TrRo4kr9A_irBroAhNVsCB` zyt;_ujNBtM|I+*~+=I^p_Bfi1zcja1h4(K^}v z?i@zSRAFtCKi|B?(k=BSEOwN(??Y|=K*RdIcwUZtdC@|=+%eDB1e_cGL2cRo@xH$K z$kTU=wZ$8?!W+F^;wBo&>{96PoXhV?Nw?d-%J`-hr+p&{-sQ+J?kH25&%?MsHKz#M z?~l*UBntxPgp2fJS>aL*$$s|s%b}xE`IV(4IM_@H&AdnoVd>_`nVDX2x#{MhS)}x5 zFL2sY*4LOgP}rj8U0d(+Ce835kH6yn#_~^2vVSjdR$=(PyVx3;qYFl5&Z-wN**du@ zNXj(v-J#PkS_-tj$X$%PE4xk8l#wdYgm83DG66PP8Ui&)Poz)mF+x2<2=v@ial0aI zpnKuhAHw#V2a1xU;!237afo{9Uw3Z_%28mU5J0gFx_5uT<5|`GS zz2BGcS-!u{bXE|JQa1HePIp9vL#71~VA3%A2L%5(sD}O7D6m7@M{=xql=>b>V5Qfd zE&oxXKG!^cm(5k%z_67f^;;qmV?x?nNWsWy-sjt88ntf8pheIs)jC%T$vl&%8aKSx z^1L9~IRQG{F4N83Jl8g#U;ci5K>KdX247VQQ%>Zq&zuG4{B6bYV?eoYiLu5)580;e zUpouy?W&&z>I$gkU%Hk`O{HZe>U@rEi@al&O>RSWPxiFt)uCe~i8_2w2}Jdzo& z<7zkI)lwCdb^c^b*`E!=bAc5XG&(yM7IaclJ-d|AQVjRq&LU6(HLhYaTPbRKA=t1? z+G*xRCc#z3Jqw$)GSG(ujVTl*zl&>%5*=2`8!eWCu)QNFs^yGi4Gv55!qLWz)85k< zdG30y7^T|}Z9SCQns23@^p=~ckmkN1H5Dw=pNkXntomU0yR_F1`8~8b7FhfpuFVfl zMa9?rq4MpxlB3I`Y_V}Q+gc^~)a*6?@wDqlpHBh9a+IVTF>fEbA|Aj;reEPY4LWB1A|v`OIN{uT zM?eC_1hGtH;_)is2Sx$8Mn4~qR1+jD1)tM1$-16Zzuej$hWs;5w*@DipajdP>YtE8 z33>jo!Ti#R&-Xu{svuaL+Z03+^(wgwU#6jPocA$IHD`XU{3NAsh{h2aO_CflsBl{Y zPZCY$1SQA2Z`0-`YT&{wb6O`_Nxx`qb6Ct5wCds&%Ju>=xz{?U?1MfGp?w7QXiLNP zLUt*J#IJt2A%2jMRL)Z;EqFZWkq>Zu+Js!#GAUqm!~=bdbe`MpWfa=Ng5ev%Ljq>0 zy_*sGIGF>oZ(}iVVh@wl1L=MEYCKC(0<0R8!U$9C=)(G{!>G@0iY=jDSSwlgo{eT` zQueVYVx$cSs~fuL`Vf-CD(XhzQxC~bycWK0`>_F?{txeikP!cGi0 zxa?cHc^e8R!iCKY(Vc(bCf@w*mlAu}JE|}9Yg46Ne5n4_pT24f<``udtQW1QB){w+ zEThybEs}~T90mLQ)gXAnL>MZNiO(ARy1x8^OKQHnRS$dpaxInJGAv5!=||7M73Ej~zQOUBc`hVLKzPVe;P(~b2SNLv;q;T= zu{lfU=9iqSR4-|2Y3Z!nUwthRC$`K~E-kE0i!d_dssX_Ce5>cuaa^rUJ4u8dXFn9p zg)-PP%5b{?YNh82{S+=*j~b8dhw>vyg6mq<)Fz(2Ho#QMo8^yDl&-*VfDtZ|^jOib zyfNN@eDw0g9%+Z<1Z0!1okx7hPE1C2CCsc84Z7%5{~OeilR6$<+X3#}+78dDPJP4Q zQH%j2Zrp5&^J04`eq$Vw2yv*bm%rHu=^|RCvH=s!uIq`Q$5Eco9>}A0kfDvaJZ`xn zxOtm8-v3ZPQf?~>yi@A4TzD%qq9Qoc_}wdck*p4c@pCXbj9qyaC7+!a zrAWpyS{r}&p^p1o=kKatHp$@!4~pixQ}v_R=W%mH>-J?)H%2g}$c@lFc%>H(5&A=U zl*&qU*h{OP)9Uie>~m`2^u`bx1pf@bV16p9W7@P{4USA59dg84o;F8=D$A{mpWerc zlBOQA1|)a(DlUnYkifzKjG0+q4NsJMQhuBfQ!)eAZdOb&F|_K=d^p(cBy}?v=nNGV z--DW;f_0LBG1?g)nPmA$RB{pgR51i_=%eT=VH{5zs*F6f(+iiE1Ko@FAs(Az5E&#^ zF){vg{WjZ zUP6^Fm3=Iz2%>kafFemPo0m4~kf{?_|I32MYug(zh-jQ-tCxJ;5ngVW3m`edWZ`iy zT1v?vv52%3B)5E(I54EiTJZ%{`0>wADP}#EEyQl16u=<_te~P1$p9C3}H`sHUvzUq50!78jxO6iQIc zQvWTXL`3^qla1~Miz639na>1AYhRr0N)P8C@xd%Z`~hJp!2Nnrb8-xrvDxn0 z-&hwg2ceNL0ZHJO4uz+KT%*^><#vgX|1ePrz=Al}(7wvU4z;k${0VZ65jBl{q zm2nG5`K_^CJdx`L%h&LZu6{p=zI8~?c0vfj6;9*kor+mfoW)bX*F$3eG;+>iQKX6@ zVmsTvk5r^k+GvE0jpoU5ns-uCP8OmRFn{=N6MvNNm7b82CgwAqtskBY9ln4%a0vPT-wi=AeH>9zzG5i#rNTW37U)Z$Q-o{U$^@r=7TsTjbtlZOc$ zoj;w<0U@ zZudVo!h}VpKki2c%;zXMHPhT`UV&TPwgELV`(2tJAw>%~bn9OJsmAYkupvk!3Pl)b zTZv#h*B7WD^CW*o`#hybnL5cnKakltnC?8&haUBny4%~icmaM*SnSX7c(De5?gyI_ zH<`>?DCG#fWRqWkak*TAP!dQ81B($p)bF>WmMmlxwGQytB8HoUDV}qK@!3PdCC}Fa zWvh}}^^(z4^{k{T?L*3VKBmhJH4I&cK^7gGTBOUoZ&D&yi1S`}#(yK!|1vU*B$+~& z@TYe;v$U3d7m#NA8M{-IPyYj+ukxDq)sjp*#BdyadxD6zYL2M4R2*i~{zq_ZZ=ax$ zB$^@o$b-KO9y)D8Z|N66P zHACU8Tkyaw#KS=4?ZtOM*Y*;?>hpDbH7fS#9kNaWt%&$4`v*xiA9tK2Bsks`GW+B* z*!i~h=!wsKL-^?N)tDrH<76tp_~HDb+HfxrTKI_6^Ob%Lnc|dW;ZBG9Xi@S5YKHrO zM0@$hVMuAcSSUE2-|>TyAn3r|;7xz;kxaeA=VGt3L5(-`r)%kHUHHL|e$!~h(PI*t zt0c3c>v4CT!IPU!|dg5$JMbvf#uoJ@}soTU{%lJtm>Uf+t@pWbxK_ zVw2Uvoig}SsKRAlnlA4hhHu&6@{#Y+qR*qD*V8D=QwTec{PuHnZd*Rpma5|c4*^IUi>3qBaGfV#G>YqQw;O= z1XbfKKWj+`um(+zVFrC@Bzr2ScYH<@U>kn?o@(>P+xrNOpWE^H=9djBH!0W?_+$N< z!OAS3-8fo~+5jqtnAPFC)U|H6fN#|)1iUg3+B;DiyxI001<9Q4$~c_RE*|GA-xgoF zNzsI6LvzLJ4XpUsj^X{9L&(vO+6B;pYR5<l&TEV2_6JekL=n=LFe75ROqrWTVN z=16*(cWb3;6x9$KHC`=;b~-$eh5bKWIx}0!7Sss~1Vn^6l+yA|9>T2s^c1-&R1n>R z8_imgix`7fWfwB64HQHH<>yS_v*(YQ=VFgchS$bjpGtSk90Y&!y*CE`z$)a6nSOd% z;NN(VcCtHI|5co)iYb$Z#I(8HKN8e*&sKAQh+fZage1z|Y}9bxx$HhepP?z+5Dqa*{$_+JPYL0?R3a+2?jpLL_P|nJLjUru zvW>Cxey*8Uq;ziNKaSFqy-2$|9SAbSGVQ_Knf2@kWCv zOs6i@jjL`}m~Zxix8Atz@Xg{9+h*zNnxOJ8U`2*k&nJ$`f06A1zxis7-gPTZA_$`* zcXFBH1D?FYv(D^`Wviqt)r$Z2k5y-Ivv2EbZU}3pzcRL^MC+?I}`^I4^8KNtdjmgY)4b zP?)KbB>|3Fv<&P>wndxjuG#;c%nxs?r#EPB@8+fTIJ`gr14ZiD?hqqW3bf*@5qU+L z*qSql0W~5mY;GuxDI!tbi=_G|?}}s{=&=qEo#^Q2P6ibQN81K?omQOp6Ys> z}s-W|@)J?6qp3kbmcI(55^1tIZ_ zve8;^*E_flgT{W>5?~tx#&T%(qe>(!c!mt0sM5k%>It~sjkpvlxa(`VRqyvkv{ z@MAVjHC)n@?39FBCJ)k!3JG1MC7&t`cWuWVArM>yLZ>kgrB6fl@`VQ>ybcSslsUx! z+c*dHU}z`9xPRV0Sni>9z=B8>Yxpz)XTH6)G*ez5;G`wicYqQQRm^s8fEUWX5r5~s? z5ik2*zQR-v91v#A9EtKD^yws%R8UyQ?w&(hyopUILsw%*}AgDZJt3$4YIi0!rY;O9t zEc=g1z0U`)`P0Ol&JB)FM9I&ih^VZMw#@*oCH0uWlR zDoh*0>Tf52^Mma9XfETO@M3MK#JxOzIKLacKw4n{7szj~)}GuM@=|bx``Z0Twa$c% z)xcldtuQHXcTF6F8;$Qaq_IX;8Gt1l5MjyrZhio5 zF4NMfYcQ8=Vhid!dez()5DrE>;`CS)IS!?#^}St*!~z<+WLNKoXUbb<{+n((v0Vq>38wx5%2JsG7^+uxn!)Tw z8P#750+i2`&m0{`6q#2d*HVqMx(^`n1&?hv`>G)iw}1d|MA1jLQJVwIKcaO!IrS@6 zj5ZFOd6sHh&Cw%)^IkmPn13(5RH@Qv_LEF!76h_spg0`Q7ijSYPLh4;Xwi-4;RKbe zhGlb&sRr!xk$v8MD$7B9!36xzfc+oa06+jp|5N_O|A5>7?<4;|I`W^@|9#}wKX(8B Xuo7iC=zn7X;LE=Z`B#ld{?q*zj_2?C literal 0 HcmV?d00001 diff --git a/Solutions/PrismaCloudCompute/Package/createUiDefinition.json b/Solutions/PrismaCloudCompute/Package/createUiDefinition.json index ba9b08256d7..e615940f2b8 100644 --- a/Solutions/PrismaCloudCompute/Package/createUiDefinition.json +++ b/Solutions/PrismaCloudCompute/Package/createUiDefinition.json @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Prisma Cloud Compute CWPP data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance." + "text": "This Solution installs the data connector for PrismaCloudCompute. You can get PrismaCloudCompute custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/PrismaCloudCompute/Package/mainTemplate.json b/Solutions/PrismaCloudCompute/Package/mainTemplate.json index 0919215b3db..ade7a0e0647 100644 --- a/Solutions/PrismaCloudCompute/Package/mainTemplate.json +++ b/Solutions/PrismaCloudCompute/Package/mainTemplate.json @@ -1,866 +1,815 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "location": { - "defaultValue": "[resourceGroup().location]", - "minLength": 1, - "type": "string", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "subscription": { - "defaultValue": "[last(split(subscription().id, '/'))]", - "type": "string", - "metadata": { - "description": "subscription id where Microsoft Sentinel is setup" - } - }, - "resourceGroupName": { - "defaultValue": "[resourceGroup().name]", - "type": "string", - "metadata": { - "description": "resource group name where Microsoft Sentinel is setup" - } + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "subscription": { + "defaultValue": "[last(split(subscription().id, '/'))]", + "type": "string", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "defaultValue": "[resourceGroup().name]", + "type": "string", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-prismacloudcompute-preview", - "_solutionId": "[variables('solutionId')]", - "dataCollectionRuleImmutableId": "data collection rule immutableId", - "_dataCollectionRuleImmutableId": "[variables('dataCollectionRuleImmutableId')]", - "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", - "_dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "PrismaCloudComputeNativePoller", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "PrismaCloudComputeNativePoller", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "dataConnectorContentId2": "PrismaCloudComputeIncidentsPoller", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2')))]", - "dataConnectorVersion2": "1.0.0", - "logAnalyticsTableId1": "PrismaCloudCompute_CL", - "streamName1": "Custom-PrismaCloudCompute_IncidentsApi", - "dataCollectionRuleId": "PrismaCloudComputeDCR" - }, - "resources": [ - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template", - "displayName": "PrismaCloudCompute template" - } + "variables": { + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "PrismaCloudCompute", + "_solutionVersion": "3.0.0", + "_solutionAuthor": "Microsoft", + "_packageIcon": "icon icon icon icon", + "_solutionId": "azuresentinel.azure-sentinel-solution-prismacloudcompute", + "dataConnectorVersionConnectorDefinition": "1.0.0", + "dataConnectorVersionConnections": "1.0.0", + "_dataConnectorContentIdConnectorDefinition": "PrismaCloudComputeTemplateNameConnectorDefinition", + "dataConnectorTemplateNameConnectorDefinition": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]", + "_dataConnectorContentIdConnections": "PrismaCloudComputeTemplateNameConnections", + "dataConnectorTemplateNameConnections": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]", + "_logAnalyticsTableId1": "PrismaCloudCompute_CL" }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Prisma Cloud Compute CWPP (using REST API)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", - "graphQueriesTableName": "PrismaCloudCompute_CL", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "Prisma Compute Events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "Get Sample of Prisma Compute Events", - "query": "{{graphQueriesTableName}}\n | take 10" - }, - { - "description": "Total Events by Event Type", - "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." - } - ] - }, - "instructionSteps": [ - { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", - "instructions": [ + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "displayName": "[variables('_solutionName')]", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnectorDefinition')]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Textbox", - "parameters": { - "label": "Path to console", - "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", - "type": "text", - "name": "domainname" - } + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnectorDefinition')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } }, { - "type": "Textbox", - "parameters": { - "label": "Prisma Access Key (API)", - "placeholder": "Prisma Access Key (API)", - "type": "text", - "name": "username" - } + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "Prisma Cloud Compute CWPP (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "PrismaCloudCompute_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Prisma Compute Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Prisma Compute Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by Event Type", + "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "PrismaCloudCompute API Key", + "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Path to console", + "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", + "type": "text", + "name": "domainname" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Prisma Access Key (API)", + "placeholder": "Prisma Access Key (API)", + "type": "text", + "name": "username" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Secret", + "placeholder": "Secret", + "type": "password", + "name": "password" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + } + ] + } + } }, { - "type": "Textbox", - "parameters": { - "label": "Secret", - "placeholder": "Secret", - "type": "password", - "name": "password" - } + "name": "PrismaCloudComputeDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "streamDeclarations": { + "Custom-PrismaCloudCompute_IncidentsApi": { + "columns": [ + { + "name": "_id", + "type": "string", + "description": "_id value." + }, + { + "name": "time", + "type": "datetime", + "description": "The time at which the data was generated" + }, + { + "name": "fqdn", + "type": "string", + "description": "Fqdn." + }, + { + "name": "containerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "containerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "imageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "profileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "accountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "serialNum", + "type": "int", + "description": "Serial Number of event." + }, + { + "name": "acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "type", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "imageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-PrismaCloudCompute_IncidentsApi" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster", + "outputStream": "Custom-PrismaCloudCompute_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } }, { - "parameters": { - "label": "toggle", - "name": "toggle" - }, - "type": "ConnectionToggleButton" + "name": "[variables('_logAnalyticsTableId1')]", + "apiVersion": "2021-03-01-privatepreview", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "[variables('_logAnalyticsTableId1')]", + "columns": [ + { + "name": "PrismaId", + "type": "string", + "description": "_id value." + }, + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "FQDN", + "type": "string", + "description": "Fqdn." + }, + { + "name": "ContainerName", + "type": "string", + "description": "Container Name." + }, + { + "name": "ContainerID", + "type": "string", + "description": "Container Id." + }, + { + "name": "ImageID", + "type": "string", + "description": "Image Id." + }, + { + "name": "ProfileID", + "type": "string", + "description": "Profile Id." + }, + { + "name": "AccountID", + "type": "string", + "description": "Account Id." + }, + { + "name": "SerialNumber", + "type": "int", + "description": "Serial Number." + }, + { + "name": "Acknowledged", + "type": "boolean", + "description": "Acknowledged or not." + }, + { + "name": "Category", + "type": "string", + "description": "Describes the type of attack." + }, + { + "name": "ResourceType", + "type": "string", + "description": "The Type of resource." + }, + { + "name": "Audits", + "type": "dynamic", + "description": "The audit information." + }, + { + "name": "Collections", + "type": "dynamic", + "description": "The collection of resources." + }, + { + "name": "Hostname", + "type": "string", + "description": "Name of the node initiated the alert." + }, + { + "name": "Cluster", + "type": "string", + "description": "Name of the cluster the node belongs" + }, + { + "name": "ImageName", + "type": "string", + "description": "Name of the image involved for the alert" + }, + { + "name": "Namespace", + "type": "string", + "description": "This is the grouping of the nodes in a cluster." + } + ] + } + } } - ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" - } - ] - }, - "connectionsConfig": { - "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]", - "templateSpecVersion": "[variables('dataConnectorVersion2')]" - } - } - }, - { - "name": "[variables('logAnalyticsTableId1')]", - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2021-03-01-privatepreview", - "location": "[parameters('workspace-location')]", - "tags": {}, - "properties": { - "schema": { - "name": "[variables('logAnalyticsTableId1')]", - "columns": [ - { - "name": "PrismaId", - "type": "string", - "description": "_id value." - }, - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true, - "description": "The timestamp (UTC) reflecting the time in which the event was generated." - }, - { - "name": "FQDN", - "type": "string", - "description": "Fqdn." - }, - { - "name": "ContainerName", - "type": "string", - "description": "Container Name." - }, - { - "name": "ContainerID", - "type": "string", - "description": "Container Id." - }, - { - "name": "ImageID", - "type": "string", - "description": "Image Id." - }, - { - "name": "ProfileID", - "type": "string", - "description": "Profile Id." - }, - { - "name": "AccountID", - "type": "string", - "description": "Account Id." - }, - { - "name": "SerialNumber", - "type": "int", - "description": "Serial Number." - }, - { - "name": "Acknowledged", - "type": "boolean", - "description": "Acknowledged or not." - }, - { - "name": "Category", - "type": "string", - "description": "Describes the type of attack." - }, - { - "name": "ResourceType", - "type": "string", - "description": "The Type of resource." - }, - { - "name": "Audits", - "type": "dynamic", - "description": "The audit information." - }, - { - "name": "Collections", - "type": "dynamic", - "description": "The collection of resources." - }, - { - "name": "Hostname", - "type": "string", - "description": "Name of the node initiated the alert." - }, - { - "name": "Cluster", - "type": "string", - "description": "Name of the cluster the node belongs" - }, - { - "name": "ImageName", - "type": "string", - "description": "Name of the image involved for the alert" - }, - { - "name": "Namespace", - "type": "string", - "description": "This is the grouping of the nodes in a cluster." - } - ] - } - } - }, - { - "name": "[variables('dataCollectionRuleId')]", - "apiVersion": "2021-09-01-preview", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", - "properties": { - "dataCollectionEndpointId": "[variables('_dataCollectionEndpointId')]", - "streamDeclarations": { - "[variables('streamName1')]": { - "columns": [ - { - "name": "_id", - "type": "string", - "description": "_id value." - }, - { - "name": "time", - "type": "datetime", - "description": "The time at which the data was generated" - }, - { - "name": "fqdn", - "type": "string", - "description": "Fqdn." - }, - { - "name": "containerName", - "type": "string", - "description": "Container Name." - }, - { - "name": "containerID", - "type": "string", - "description": "Container Id." - }, - { - "name": "imageID", - "type": "string", - "description": "Image Id." - }, - { - "name": "profileID", - "type": "string", - "description": "Profile Id." - }, - { - "name": "accountID", - "type": "string", - "description": "Account Id." - }, - { - "name": "serialNum", - "type": "int", - "description": "Serial Number of event." - }, - { - "name": "acknowledged", - "type": "boolean", - "description": "Acknowledged or not." - }, - { - "name": "category", - "type": "string", - "description": "Describes the type of attack." - }, - { - "name": "type", - "type": "string", - "description": "The Type of resource." - }, - { - "name": "audits", - "type": "dynamic", - "description": "The audit information." - }, - { - "name": "collections", - "type": "dynamic", - "description": "The collection of resources." - }, - { - "name": "hostname", - "type": "string", - "description": "Name of the node initiated the alert." - }, - { - "name": "cluster", - "type": "string", - "description": "Name of the cluster the node belongs" - }, - { - "name": "imageName", - "type": "string", - "description": "Name of the image involved for the alert" - }, - { - "name": "namespace", - "type": "string", - "description": "This is the grouping of the nodes in a cluster." - } ] - } }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "[variables('streamName1')]" + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('_solutionVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "Prisma Cloud Compute CWPP (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueriesTableName": "PrismaCloudCompute_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Prisma Compute Events", + "baseQuery": "{{graphQueriesTableName}}" + } ], - "destinations": [ - "clv2ws1" + "sampleQueries": [ + { + "description": "Get Sample of Prisma Compute Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by Event Type", + "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } ], - "transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster", - "outputStream": "[concat('Custom-', variables('logAnalyticsTableId1'))]" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "PrismaCloudCompute API Key", + "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Path to console", + "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", + "type": "text", + "name": "domainname" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Prisma Access Key (API)", + "placeholder": "Prisma Access Key (API)", + "type": "text", + "name": "username" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Secret", + "placeholder": "Secret", + "type": "password", + "name": "password" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorVersionConnectorDefinition')]", "source": { - "kind": "Solution", - "name": "Palo Alto Prisma Cloud Compute", - "sourceId": "[variables('_solutionId')]" + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, "author": { - "name": "Microsoft" + "name": "[variables('_solutionAuthor')]" }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" }, "dependencies": { - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - ] + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "apiVersion": "2022-09-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Prisma Cloud Compute CWPP (using REST API)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", - "graphQueriesTableName": "PrismaCloudCompute_CL", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "Prisma Compute Events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "Get Sample of Prisma Compute Events", - "query": "{{graphQueriesTableName}}\n | take 10" - }, - { - "description": "Total Events by Event Type", - "query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], - "customs": [ - { - "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." - } - ] - }, - "instructionSteps": [ - { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", - "instructions": [ - { - "type": "Textbox", - "parameters": { - "label": "Path to console", - "placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}", - "type": "text", - "name": "domainname" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Prisma Access Key (API)", - "placeholder": "Prisma Access Key (API)", - "type": "text", - "name": "username" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Secret", - "placeholder": "Secret", - "type": "password", - "name": "password" - } + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "domainname": { + "defaultValue": "domainname", + "type": "string", + "minLength": 1 + }, + "username": { + "defaultValue": "username", + "type": "string", + "minLength": 1 + }, + "password": { + "defaultValue": "password", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections": "[variables('_dataConnectorContentIdConnections')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'apiRequest')]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "dataType": "PrismaCloudCompute_CL", + "dcrConfig": { + "streamName": "Custom-PrismaCloudCompute_IncidentsApi", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "Basic", + "userName": "[[parameters('username')]", + "password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "startTimeAttributeName": "from", + "endTimeAttributeName": "to", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "sort": "time" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + ] }, - { - "parameters": { - "label": "toggle", - "name": "toggle" - }, - "type": "ConnectionToggleButton" - } - ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('_solutionVersion')]" } - ] }, - "connectionsConfig": { - "templateSpecName": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]", - "templateSpecVersion": "[variables('dataConnectorVersion2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Palo Alto Prisma Cloud Compute", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "LogicAppsCustomConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template", - "displayName": "PrismaCloudCompute template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName2'))]" - ], - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "LogicAppsCustomConnector" - }, - "properties": { - "description": "PrismaCloudCompute data connector with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": { - "domainname": { - "defaultValue": "domainname", - "type": "string", - "minLength": 1, - "metadata": { - "description": "domainname" - } - }, - "password": { - "defaultValue": "password", - "type": "string", - "minLength": 1, - "metadata": { - "description": "password" - } - }, - "username": { - "defaultValue": "username", - "type": "string", - "minLength": 1, - "metadata": { - "description": "username" - } - }, - "connectorDefinitionName": { - "defaultValue": "connectorDefinitionName", - "type": "string", - "minLength": 1, - "metadata": { - "description": "connectorDefinitionName" - } - }, - "workspace": { - "defaultValue": "[parameters('workspace')]", - "type": "string" - }, - "location": { - "defaultValue": "", - "type": "string" - }, - "workspaceName": { - "defaultValue": "", - "type": "string" - }, - "dcrConfig": { - "type": "object", - "defaultValue": { - "dataCollectionEndpoint": "data collection Endpoint", - "dataCollectionRuleImmutableId": "[variables('_dataCollectionRuleImmutableId')]" - } - } - }, - "variables": { - "_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]", - "_dataConnectorEventsId1": "incidents" - }, - "resources": [ - { - "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorEventsId1'))]", - "apiVersion": "2022-12-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", - "dcrConfig": { - "streamName": "[variables('streamName1')]", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "dataType": "[variables('logAnalyticsTableId1')]", - "auth": { - "type": "Basic", - "password": "[[parameters('password')]", - "userName": "[[parameters('username')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]", - "rateLimitQPS": 10, - "queryWindowInMin": 5, - "httpMethod": "Get", - "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", - "startTimeAttributeName": "from", - "endTimeAttributeName": "to", - "retryCount": 3, - "timeoutInSeconds": 60, - "headers": { - "Accept": "application/json", - "User-Agent": "Scuba" - }, - "queryParameters": { - "sort": "time" - } - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSizeParaName": "limit" - }, - "response": { - "eventsJsonPaths": [ - "$" - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorEventsId1'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('dataConnectorVersion2')]", + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", + "location": "[parameters('workspace-location')]", + "apiVersion": "2023-04-01-preview", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_solutionId')]", "source": { - "kind": "Solution", - "name": "Palo Alto Prisma Cloud Compute", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "[variables('_solutionAuthor')]", + "email": "[variables('_email')]" }, "support": { "name": "Microsoft Corporation", "email": "support@microsoft.com", "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "2.0.0", - "kind": "Solution", - "contentSchemaVersion": "2.0.0", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Prisma Cloud compute", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "version": "1.0.0" + } + ] + }, + "firstPublishDate": "2022-06-24", + "providers": [ + "[variables('_solutionAuthor')]" + ], + "categories": { + "domains": [ + "Cloud Provider" + ] + }, + "contentKind": "Solution", + "packageId": "[variables('_solutionId')]", + "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "displayName": "[variables('_solutionName')]", + "publisherDisplayName": "[variables('_solutionId')]", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Prisma Cloud Compute CWPP solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform (CCP)
    2. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "icon": "[variables('_packageIcon')]" } - ] - }, - "firstPublishDate": "2022-06-24", - "providers": [ - "Microsoft" - ], - "categories": { - "domains": [ - "Cloud Provider" - ] } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} \ No newline at end of file + ] +} diff --git a/Solutions/PrismaCloudCompute/ReleaseNotes.md b/Solutions/PrismaCloudCompute/ReleaseNotes.md new file mode 100644 index 00000000000..4a2ccc0ac61 --- /dev/null +++ b/Solutions/PrismaCloudCompute/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 10-10-2023 | Added new files to support CCP CLV2 and its package | \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/SolutionMetadata.json b/Solutions/PrismaCloudCompute/SolutionMetadata.json new file mode 100644 index 00000000000..c4e73a7d155 --- /dev/null +++ b/Solutions/PrismaCloudCompute/SolutionMetadata.json @@ -0,0 +1,18 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-prismacloudcompute", + "firstPublishDate": "2022-06-24", + "providers": ["Microsoft"], + "categories": { + "domains" : ["Cloud Provider"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "SolutionName":"PrismaCloudCompute", + "SolutionAuthor": "Microsoft", + "PackageIcon":"icon icon icon icon" +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/data/PrismaCloud.json b/Solutions/PrismaCloudCompute/data/PrismaCloud.json new file mode 100644 index 00000000000..ccb2c18aabb --- /dev/null +++ b/Solutions/PrismaCloudCompute/data/PrismaCloud.json @@ -0,0 +1,15 @@ +{ + "Name": "PrismaCloudCompute", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)", + "Data Connectors": [ + "Data Connectors/PrismaCloudCompute_CLV2.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\PrismaCloudCompute", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "createPackage": false +} \ No newline at end of file From 05bb81069510ac2bea07dee07fca9bf123ca09fa Mon Sep 17 00:00:00 2001 From: v-amolpatil Date: Tue, 10 Oct 2023 16:31:13 +0530 Subject: [PATCH 2/7] fixed issue on solutionvalidation build --- .../PrismaCloudCompute/Package/3.0.0.zip | Bin 8185 -> 8197 bytes .../Package/mainTemplate.json | 3 ++- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Solutions/PrismaCloudCompute/Package/3.0.0.zip b/Solutions/PrismaCloudCompute/Package/3.0.0.zip index cc39bab780853b6e04c3726e2d3ee7bccd3b8e1a..fb9cad355383b72994bbee020230e47e47f40da2 100644 GIT binary patch delta 6137 zcmV^ntA2A{UW!QEBD`IPme!dT*Te`6wJW)jdjPBROStCM`iz9N!yIe-0 zFJ6CnhSCOBk^T?af1e+6qqeFYn9oL;;XT=U!$pddax{8_SNtpBsFXrPLobH6keX47 zCKE(4NEpMC4{8|vYY#i{X*A9x@Mxr-kB*Oj(&Q117kL89+^NW$XH#}WHy+{t=9+TJ zBV1NSGtqUKM{N>s#KL^Hh`3y2aD>q-;zS`0mkeF;6-xr_e}NQH%;JqECkiX+HRq`g zJIc#1;O%xie$^#fL7xbE9E=Cq3Tq$xZb$i}qC^gG8Aj-3xI$-v?L9E!&|X89AJxdM zJ3Auw!oy`9&i4!ANs-%Z!ifFLSG~cGk{_V;E`9eV#db6jUyh0kBIEI!WFqHoL6qk1 z(J1Ta+YOGy7@D@dc|gf(&FC!U4IPb9e*LGY%d60Or;|hpH-C6v;gzfrn>bD8S8nMO z_2)#rI@yR3IWQt;+lUf&=cXxpQl2Z2*Yhw4xUvnSgca%E7kEhmq6GG|!ksOR`6pW6 z=v|@JximoLZbPTlSyYw`%yV6%MgrR!<~FYeksFUDt}_{pG-Vtt~(OF_3E2b6rDsbBylG7lMP98m$wl`m`_>SQFN`oNLPp!5QLoV@h;4gQt0 z9tg_zk)!+`qC1^i_7HB+ZQ*h<`Il0)(<0N~<&|p18vUs}S}szYNJh$gaQcFy)=OD= zn`o5^mj!B=*swcQSLy0jS7%jP-t9s~ zRC7lc+K#mP2FO%|;hsgzt)0j z%YWl-a<(TUN_)agchp)_>GM6AN=+t2YoGmm#|k-aip-+ATPPaBPHs2gI((ef$ z^pdRf+5vD~%e-7%5{bwLN$k>v^_q-lz+inRwLXy%10I&;J#nZV~s$Tu)h633ign}H*tXpgXi#Q|lJ zRLL&EP|h`hi8IfO{eU7GN-XbVzJKv@G%jDf@@Q2ata99lFl4W65{&t)F@>|h*b`Gl z0<^%4D*?nMMGTQo=TuvWSCPG0eb6B#>0D=uYb~U-q)Bb z3DG+WmuMJvzi(yr+W`H6n0<@U>4^#34Jhf!7b(b+0ci0cKcQ)Vkrm-Kjp$v!^Pzr^doY?zO#vEFNnvvpl|&GScG0C4#^X=v^|RT+Un{mi<=ETp_ItOOcTmf z)b%p)Ys{t5}DC8mtFT8{IHYNl3yd-sga$bTi%;U;R4SorKPxt(9IQ=iJ{zC zi{Z>traE#g9=4+Z`F|mQ-Cl$-%b@_w#%|sw@kVDhxBuDXo&?;fr=Nri#yzh|7Gfdp zgs=Vy??XG-kcXxv-kJ9Yxw>s9v1RwOtn^>k-LwHL>8cx=oB$ozmYSYb-&;gMxO{Y) z*OF^-h8m+&=#^XvqPv*lNaR?;P6z4Td;z!+=jpUGYsPdn|9|oo^pvgB6=CamA=c-a zSfAqGiHai47GAiR`P`hw(M+9|(ODJs3=F^jcyyB4elyr8d_48t`-v-Z3ML*9xL&hmEWT1l71A!fI5&mjQxq`+^B&NVUP|jPS zS!}jWBEvLnkM(Z@i*H>HUWZ;{Xs9)eV>lm}++)ffPenv~%I*neUg+G4mHj)lDRGV6 z=sctxW?*CVL8Mf!8$$Ax_^TT>11+IIR}JK$qZAynNPkMja^^U2G{E;bbYyahQwL?y z+(j3IOQ70r|CYZkumkzy+gF79O<_sg2EeG;rOd8g$drVo$hzS=a0we;GFZ4;_1q&B z>l0MnFm>S~Kq^I9PRq5Ra<2rv;Fm_9qk@Se>;e)doY<9GZrO|8ete zs?N~G`G1=>8LlS7oc2zJDdo$0$;H$+vDY4t-BF%P5PM$RtH#+a+{wVUe}Ns(mf$xi#!>dB^T|PN`LUVw<%hw)5Zhl=kmR)nFCye9mwBT zoRmWrJ;;dVzAlbL+}W^WfF1DcT+xJps6Pew<`S;u)Eqd+ zxGl0I-r?}MHqV6?qv2 z4fg~^`9sn}W}lM=c@Bz)8CiKbq=(GOb$>`%a5&x>_+-F4P=rC~LdibD2t)+LSK_wN zA+yu*Vn`Y3#ERW=GodWwEaX50E0a`ZfPFGkxN!#*I>@tA(8i_nF7!l=$Rx8+2ZU(|NHYvQuD_{S0jnftY4U9U|32a~_Fn z=WB6UMnQMY9uzc|2+ZA*u6ae{grp2P)p_^mo}L;^vBqQoXiTl%oY~C&3NF3sbKZdK z$?1*(as|3aJNj5nPE*UGY)ZWOv>Q>E-pBpsy{yI|3zxo)-Ufd_p5QOsUYkT1giw5m z3YVVHGjub8^NP_=R4qv{5N`JFgDvkk>gJ&oWYm8CB9e#%L9{U)*NGvY?Kp9_S z^woD4ulW~nwlGHL`LH?vwh%_oJ)U3WAI>kvXs&il{vh2wldr|wNn{iTlLY+umuc{C zEMnp^t^FBF_X^%+;xI#h$;UBL%U<|h&xGH~hb|l&7_|5R)TXAopf>#r*ngCS&jgQ> z&%8xqsXRj+tSKvu85jL4v6x`On-@n~t*{L=^o)*7TE*k(F9UZIlC)k(QoLd`%NG}h zx)k{{>HITM(V|fNxBPacoUmw;)rM$2L02S}5f_WRZXfxMlMo7ZR_aPsYHUfhISG$t zP6D~(^4>i)q2(qFla=P$@PGc9auig-K#i9H2AxO+-SQGNDOOO*gP9u#V|$v@gCry9 z7(NQR@~5z)8jrGX7J^0Sg)AGM+<~$>-QjCWWT4FUH|Xg5>+@q2;iXWV+=XE(&w;xy zS)PNe&rwKpIJC(EL&TWH!wRx#R>MBna^5GCVPO7r&tTXqr_4`9cYnqwv-8k>aB1Ex zLt$VJb;(TF2X`*JW+M#DpKe(Q`{2-7*UW=~In*uVU>_XHd*{ZZ?2%-!HNoJ}m~_@7 zm!NMR!N55L`(T#}gBTBW*hM!~zQ8_MmJbpck9%0Q_01932fNNX~eH z@16s&3w{l7_P-CVy?^L<-aqhK6fx=n&-wSkx^werG{6oyH^7y&gwM|SO9bma<{*-?J%PLQB9w9b8c79zP5Ltk z$@AvlvJqHb*Tv5@ejh@WtLHwh8#|>_C^%=T{(4yc2Q0?uWPgnQaRNU%HX4syXCyu# z`O9NhvTcH_5rt@4D4Zyfq+iw`AEgF8RpiUr) zt#h)Q7tWHx$&Ol_!zh$*To~W{fX%!Re$T@;twQ&$$7&{p?1wB|Z&;{4zeD_8nEvm= z^nZ%N^aB;5H-9KR-PfB|CM1Lhrhj%-ajQ_sMZ7 z+uxlFwd)S2cVTu@AM3Z0u$tzWoYw@`W0 z+S4yY-l6cghL_)|YI2(hOT>FABtA&t@Q$T~`;`vvQhx}%L*Z}Bu+Vo~)S{(Zjlp*k zIm1HTZPNEwF3jDx5ckJfErx})+r+r}@wW77{leH9!zv|hb}f8eIlKP5&~@jjH{83; z3RSlmHWd^5PgRJzL*Z$SH3E=Ye1=t2JJ-e>q;T{;3q_|KGA+xSsvzS+&>F`iZKeW% z=B#{75r61kMR^B>nfuSUVd3S!%zT@dG45XoIUR17!pG^18WuX<^NjYN8S}!#DQk=h z5$lW^Af2`Iu7!qMreK>T3b4<@!3Iat#jo~z9+49$INU!={Ei0`y%do z)ao>~AX~L>HXNR7=K$3AFQ=oD3f zsI63;iPqI51c2J^lEX=j{xa=&9!9*4Jcn-@KIZ1Lywfi`_*Wsi)7Xr!U(M5Pj|8_? z&VP+a`YA<`blKqI4Gvr!I9o5%TFxK=d-K&GG(-Cp+pddU7rl~cr8JA@4Igo{?6ILF zEW5@&L>H@}{Oa!ZcyjXDw%u)@ox3qvN|6d0s4#)L`Bn1mnvJ|?c8y#_^xL3*c^ts5 zn@skl%p5Ckw)tJ5qCv~HXS=~M{9?4+Vt;^INm%p#)Io~2+Y#SvR{?b`A&{ba+oD@P zO{)`RI$eA-_3ePq7KB@;;ygfTcKM9X9-W+iE*IpC%byoM__@_Q{e_0XCyjeZGNy)H z&(;;xy!q?;c3CP}X6+=C+qQ|g^4|OpP*eaYZ^G23)6LS5EuRE0aj;@*-sW_R!hhd_ zCo5moVVL!5NoVsa4YVWet^*5pYtCQxZjp8kAHSgr4UnCrv!(Y~(q}E>u0adGy)yUx zSQI#s>Zy!9;;$f*duMwmZ4rW$`QZX;I(24#7L;veXGL;yjdiKrWD5kZ|2CWQwcniDIMT^U;gJNgyzQEoV1S><&pja7t z1!j<0d6p}09=oX+WA<+)kmD+U<-hY*$dsb7Q z-0y*QJv8Eb(Hs0e#*}HSlDeJi^wFMnuA)Y7?WtcRse&%2h1uDLT!N$0s(j5i(PnSl zx+#pJ;YE$1h<<>X*U4NM-D@dg(RW1^Bz26{pfqa}YY+pl#d$4qFC~0*Jgsk|#YTX3 z&sMkVQq#e7J8V4$6Qq{t7k@S-+NCdq3s^6y$~n{&O@O@9R>G#947m42QvVsSh^xV( zY}IJt%-I)e7%nf~ovKTV>Gj0Xc=Vt7`p?hAeFYO%!6lNH#3$^#%PUUI>4|Pbap~tr zk-$6;UJ+1~|IlpdJ{1w#JGC z&{>rLQdllEBiUu(ZhwX_Xyq^5>a`mv0gLOe6$FB`=}j7_9r@ekk{Yb3P`nO&QeqpL zA>h5^EAku8qwqkdXs}I-AKdldaF5c&Nt8ES|BFi{Wc+HTFDtM<)u0^U@0uYsSkism z(4ii*W=PbdXh?mi#ISmZ41t(b4M`$Le~oG(Jv=!jCdnCinScDjoZBrY>*X%{d5h*5 z8f}hYe)^i{xDu=yMs%8kn(czx77Wy)S-jXMtfw1d)YQan!8_exT@$rwB&^V0d}}~u zOAN0|%&t?6PB$jkJqFh&flii-5wmHXy>2X!JW!&Yc7kf5Rr3Pex?^c%tQNY->6lZY z44U8XY04}~M1R?(EFN?rlW>xAuYXP+eOA9)s_mkA0@{{awN+jEzWTY}?P4R{`4%(O zl3D&~HGqChbBg&+I`&_y!rQggM!n8Pn;Ku$Osl+GyR)YTO``!;&RsLyShDI@7aE9~ z`JKB|`hxjFyFT4Kf6DnB2CL_j*EOy-n4o zeQQsBI-^+L7*PaJh$;ny(iqdX)^qU}l7Bv(+0Ws=JzQFc3P}vgD-nv+6pYcv!#0IW zsY|FI3XieRdtbusVo?#xHfD6Mw!ZL*M3xaZ3$FewBn3g@|GoIf?5hnc0NJ$P{ zm+S%@Ok$c8X;891b0W+sn){^E{^JzBqP0LseNR5Y+^0IubzbbWN1^m&h844&<_27n1 z9UOY41E?G#kXx(8h*RTSs%^+=b1daYz7z6K{|}R2A5jj0fJ#??ud~^-7ytk-%agtz LH3n-R00000a%}@v delta 6125 zcmV0tgk_HYacS=`OGc&NL7ytnK%9Ef5I|2l)lidc=e|=ZQi<#}(%&tyV+CVt0%dF+%~yE_M+M(Z;3}*^xhC>=rRh8T$EU(&gl89mbwJ;Y}xB z;K>U+a-EPj`+17cj~J1FGHknm6|pr&Ki`MZE#24-o+zS!M)zyttP!Ee#SyvVT`r^0 z7q7oOLumu6NdJfIf6ouOQCrmx%x9y_@SbeF;UdLJIU2peEB+O5R7xSDp%=qjNX;lk zlL?|2B#dFn2Q>`-wTB(}G#Y0Tcr;SaN5{wSGH&3UTB zj`H#gc)J~sUv-IA&?kZ(2jfAu!rI5a+fn|gD3JqPh7o!huFzRvdk>5_wAYa3M>TTm z&W?z^@Nij&^ZkN&Qsg$9Fk=7mRd2AP<@<#09G?`$zr%%+M z6ZPt3BZlO_ker$!f$W`!LBJJf7$w6>|GvOW5)dVPrY7n3CXyQ7P(Krss`xwg=eUy`I{h@JDEX(57wu+rv><}-T zut8zp>F}YGntx$?;VM;M*MMm5p4N}_r}LLqNk^qt0dH}WVQsQzUTsw%=}75p6NPt# z8(Vai7`uvT1-=U0_J-uN!K0H$kEI>W7aqPN_`cF0NOVmrvu7E(SJ;Uo!X8puxr)m% zzHNSslGog{dHvTKFgg3tx~Uz;B(uG$&AEw(1DAdq6n`f#eSU*~<*WySvOVD_zaQvM z=a&6|8)sX%oJ{_uRMWJ`^qe-Xu`J(}N6STu6Uj()zw**mUp{Q5tUx#bnA%^fK~90 znzkdYz5y~7VYnyMLCWl_q`lSNu1N*v!LpSjrGLw$t)r4|*{HH**MSy!i6g8_UrJr( zrk{rq$6%NJmn}H-z3?qaxaMkhPq(!5NN`)&v?UGG0u8gF*emTs95~u~7Qk}2uETux zw{M|k(8R8wgO(5)R)0|`=&CfkcBj^|+MH-ngX&}Zp!e##_Saf4ZF#&+&h}(PX-}Bx zj(=KfDt*2uQ>n>>XzjC~?^r>nr1d4Qf)#r6<<&JhyPO}l4M2gli5DKB>rToX6@tvK?C91F@5QuS zuQ9r5r1ssB(*82SINjL6)Wvr*E{-!1ZhxFP_nXbkj$Oi~=aW#0)NF;>M1DIVT&Z)- z&gd}$NkS=uk?ncmJw*>;45vZK_wbQ_6QLqiz&kicvjYbsJ8=0Q+*@bBOWWfUO!*hQ zWi={3MKH!v&xE2yOgx6dpr*CF2l$d{l^qjaXeR`lYdVs z3}A_wvqm)05D4GF_(ij18>Q&t{LN%xQ|zLfWGHYbMtqD|WCs-b5v-)yB)FkNOZ%^I zoaMh0KjaHDjAmZAqBBP?yk5l3u}=|do~3)=X+-b(oewRfph1Cz9Sf*3T$|UaCcz3UNOJ%;;7y{B+EoFc5LB3wYuLq}A>aP> z2tIy|127A)do12e;g94bn}5(CWZ2)Z2l4vxN1V09LLhg1D?HzeZ>j9^7k1J4q92h9 z_MJ^UdqF(T1%2xmz#{ZAaY&w^rR`Cy*H%|oS=?;!38h3HW|~l@qOO;TUt>0{00zA& zur^t5+OC)Bk_E^!=0ctXUE^Pwbnb0en4Uj^K%?A?$d14Sd>@ktyMNkNSRT^xT@+8B z(mah$NU0NU20)`mcG*>C@?hNq_jr32#kd1C0GuM*?TG@Ml9Uc}9Ga>^f$q9g(1E#~ zmdK2*x$L^%;D?>8mi!vwPL1pg-SXZ|NDJ{iCgl?{|O!DN;S`25FGHsD#@vt2Q z$PfAJ_9Bc~4h3K~c7O9Wi8ng4x&6;3_axv>J^dtHFz$IxvJeY#Cw%o!cpuuqhCDPa z@y@(I$klB-i7mUIWu^bR?xqc3Nmt#_`q`IoPtr)-_B2wTSsv41|##QGHfPE-_Ww(!Em z%;)Abj%Mn#jLxd4XJGjK$D@*;p3_A9#0MIKmZfb(tA~R53nFS7sX;BT`{~d z6hlK1th%5G2jG)bV{!$VQBiy4t%5$UMgYes(RxXgOo|X9K^m4r3+#pWLfRaUIJXc< zOeS#pHh69-`hR)m88S|RAp;ep9tiA!i||)d$`v$T2r&ijfpXpo&0@245*empd#ryO zSbXbp@H+GoLqn}$9K-p*tdiM{rC?2htWg4pxgUNz2c;Z6p&{R`}PwhXUnHUvl#ZzeT|?Q@mm zake4)2m!1lufW{rG3Z1=DtAATPMcKAMNb_l`>mW3bO#qpjU9c%&ik+n(o#ANR`H9k zD%=@K+0*A9xyX~TS#oKfsRW;Uo1&FEZ9HIpE`Q&gJZKhjcMh+@sM{Im@XPi>{JBWdx&c23 zqRkke>O*ED>yRS~umcu?UvZr-LeOcj5wWe)NoHwls_arWcE2} zkmsOyn30v2Lwd-ZT!)kehvS`rPX@dLMSmECE|lLRj6g&{d?juR9Wpx|FNTznPOR81 zHxtS-&O#1Eurf(i2G}Pvg&TK3p@Td-1#Mh9??O-1drUG5g@7I~OX2_B)AojE>GhgW zNb~~UiNb(z(JZ(A;btIQW0S&byz=#5*Enqf(7>oOoxlc00^=Zlz805d6m-|@L4QGG zxxd^k>6%wGPDsj-Q=NB@?&+z)6l+WdfX3A7&6&;Yui(3!U9-pgtnvIyzh=xy)^^@3D{3i^SsM50vpWMqhn*@tS`DXA5I= zo)4SzZwq1c+~fI0{^9&$jOJ>`XA6)g&d ze9LcFN&|}~S#5~c6Ldvl8F8^->-LfFI0>OpXQi%GrN)+2o0ITZ<|L3iF7Mq_6IyP< zFj;A?4ey^RM?n<~)OZJeaw0Ft(>TJxDTwj^U%AD}M?*s_`iM zW+7OFUdR&Q$sH)G(;dF1L5u+aPoPU2GtUEW4Mg#1Sa|4{|?}KskuIKnWWZgjL_xoTUklpFbeqi?P z?yO$pfCWJ3Ab0yK+YTe@AJz0(H|N$y{shrCaU08f52jlPR8gTC-9SFqw&afMt|Z1lD|B5CEF&*8c~R* zg~EvvOUFv=k^;RN|K;Di+0NrGKjxwMdnFD;w*4Mq+M?m73hD%+*g7Y>dEqQ6ob0H@ zIgCR2#)a|C57^8L;rBdj(<*e|daPzr$bQJe^@fG&^E<@fh3Wq;O#i1SOg~T|dV|9A zZMh5s6qfH>NPoV6;rJ%|sfm3Ch2Y!xSF%$FDDurouhE3-}>W5u8-IS}2aUt|J1}nSEq|mu3)%u0Ybqkd@tv&rhxL@huE``856#ljh3w^gmEq_|N)fjvykuxmR-6nm1<-**3 z3vqv()nZs!yG@LnA8$*a)-Q~$F|1P3X4k^km9y)=3te}fdc(cjtWb5EVN)@&|5Syj zI~1PQSR(+b#b;PWwR3IEK?+Cjvru%(A=9$FsR}YK1g&vQ(q<|EXwJ&V6oLL#ly^{= zx&MqC7Jpv;%gncV8RPzikkjFIDSVvHs9~YwJ%zw<*lWx-=zAxggN3Bj%3$j)FX2apR zb`C&&|8lyTwWrlo9HBiyKr~O6pkelgXnb2vHmOkzb%U~Fwhp5$gW5{fnP^>2LI9}k zE;*dk=r7Zb=V8R#$aDCn;bU$-%RBwDgMSsGJB`iw`qez$_DFDR<=lv*pHdV_mklo7 z;D5lyfwT28t>p|7us2@~LNl~qvF*CpbLxcqtHgP&W?(_d&9eA2jwBx7pG^=w^1&6~fjZEAP$!07V6W@+M4eI^8S{+44#75(g``=50>5DEuvWvhr0OhFPzcbbmIl z(m*@X?mDnwx90q1?-ps-@bMd}&;Z#a z4Xgf9gCD|Wa~P;qg09QqOlK{Myo0adN>Izh8Cw3!|N ztwFUibPuwXL5sZBAYAGFP9eDxj&1?E5)$ojU8!B?;9VKIXEpW7{T^u7Lw_T_7rnvn zV@#RGDyiGKP9N=Q=PGLS)}H!Bk}BwOT9}<}$R#)`t;*MY6K(d!t((Fq8eY^Gis%QJ zd7aFK(Y=-;7JXM#K~l$94N9{%u?8^!Tb$P-_fo<~$J6>YT5JSp_iS~$E;SuYx5L(B zFhOdGeqmFhUHU?}fc289oPR@2(FDjlZ6$2#$$)!bB=w&Gi?|vr%2tgQ&YXRrhT-z! z-Kn~?m|jmDjYt2PumAi^+*dGR6LxERG7KGtmomoLMZ%>%wWhk*$J5~Ved%mtGXOIRDsIHuNVQZ{N0G(9{Acf^pGm>2f z?q&#sR{p}RUb}%3uz$GzT0tO4o8F{>+L6CqE~&wq3dQTdCndI_83Nurz9PTjJPHqV ziU!-X_`zNO4fiNboJ4uU^}o1OLdLIV`mzG+Qw_=i{;nBPgC*U^4IS!1YlcKUiiXsO zN(`%q$PkE0)sQ4|^w+2s(!-NeVv?MJm&qT@x!rQIUhcA=w|{7!q0#0T=BKZDjw`{c zVMM1nsM#*4ZNWe-n#GHK!g{(PMomrJ7QE99)-_R^M#2j1#kU4jw#4wd#Oyl7=yYRp z-D7Zl66j>P7%`jH+3Usv$pa*w5jn`&9ut9wL5!i&@>ug<=i#HjU}sob)kW%nculfr7xH-wCmH& z^QWB8VX%7sI%N3C(^>KtdW!w$*P~Mo(?Dj(_m-+1pfY+PC)9r!$J>jS)ov zg{V?MD2*|FYdsf#A^GRinf)B@+ry=GsF1{S&kIHB3tq1+HfHcEHG z2e>c{BrHQ1zaS`wbu5d6g=yJSKI8da6k)=@jFjY&03~%*5N8hOK4-NL#&%L`OVsyt zT_RloRVxh&9!Dt5d;`vX%IK414523~lyiBp`F|wyFFf+RDnsIKd&w@q!6c?hkp?CE zGbh5FvPn{iEIlOoB>6PC=Odc%LGeej(pvV;MAdfSbZo1`c65Gzc??4LbjE4r6wgAh zIGwQBXDw-NHJ@fv-?WUyfYf+6DKE>{`m0hWR=^+4nxTL)RS$0H)S*{8fXX2PxwTr1 zI1n|?rP_v^Hpfza Date: Mon, 16 Oct 2023 20:23:00 +0530 Subject: [PATCH 3/7] renamed dataConnector1 to dataConnectorPoller --- .../{dataConnector1.json => dataConnectorPoller.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Solutions/PrismaCloudCompute/Data Connectors/{dataConnector1.json => dataConnectorPoller.json} (100%) diff --git a/Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json b/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json rename to Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json From 62f6647e808d6d44cadd03af39e79f65a0886212 Mon Sep 17 00:00:00 2001 From: v-amolpatil Date: Fri, 20 Oct 2023 10:24:20 +0530 Subject: [PATCH 4/7] updated code as per review comments --- Solutions/PrismaCloudCompute/Data Connectors/DCR.json | 4 ++-- .../Data Connectors/connectorDefinition.json | 1 + .../Data Connectors/dataConnectorPoller.json | 6 +++--- Solutions/PrismaCloudCompute/Data Connectors/table.json | 4 ++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Solutions/PrismaCloudCompute/Data Connectors/DCR.json b/Solutions/PrismaCloudCompute/Data Connectors/DCR.json index 0195df58f85..e3f2fe8f478 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/DCR.json +++ b/Solutions/PrismaCloudCompute/Data Connectors/DCR.json @@ -1,4 +1,4 @@ -{ +[{ "name": "PrismaCloudComputeDCR", "apiVersion": "2021-09-01-preview", "type": "Microsoft.Insights/dataCollectionRules", @@ -120,4 +120,4 @@ } ] } -} \ No newline at end of file +}] \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json b/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json index 0f6f907f720..1553f7ddda9 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json +++ b/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json @@ -5,6 +5,7 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { + "id": "PrismaCloudComputeDefinition1", "title": "Prisma Cloud Compute CWPP (using REST API)", "publisher": "Microsoft", "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", diff --git a/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json b/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json index ed42927fbca..af2ad564a6b 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json +++ b/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json @@ -1,10 +1,10 @@ -{ +[{ "type": "Microsoft.SecurityInsights/dataConnectors", "apiVersion": "2022-10-01-preview", "name": "apiRequest", "kind": "RestApiPoller", "properties": { - "connectorDefinitionName": "connectorDefinitionName", + "connectorDefinitionName": "PrismaCloudComputeDefinition1", "dataType": "PrismaCloudCompute_CL", "dcrConfig": { "streamName": "Custom-PrismaCloudCompute_IncidentsApi", @@ -45,4 +45,4 @@ ] } } -} \ No newline at end of file +}] \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Data Connectors/table.json b/Solutions/PrismaCloudCompute/Data Connectors/table.json index 4cb576cc3c3..6c230f9e665 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/table.json +++ b/Solutions/PrismaCloudCompute/Data Connectors/table.json @@ -1,4 +1,4 @@ -{ +[{ "name": "PrismaCloudCompute_CL", "type": "Microsoft.OperationalInsights/workspaces/tables", "apiVersion": "2021-03-01-privatepreview", @@ -101,4 +101,4 @@ ] } } -} \ No newline at end of file +}] \ No newline at end of file From f69f6e5ab8aef1c73084fc6367ec8cd980b7309c Mon Sep 17 00:00:00 2001 From: v-amolpatil Date: Fri, 20 Oct 2023 15:05:03 +0530 Subject: [PATCH 5/7] resolved review comments --- .../Data Connectors/connectorDefinition.json | 2 +- .../Data Connectors/dataConnectorPoller.json | 2 +- Solutions/PrismaCloudCompute/data/PrismaCloud.json | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json b/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json index 1553f7ddda9..091be7fa0e9 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json +++ b/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json @@ -5,7 +5,7 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { - "id": "PrismaCloudComputeDefinition1", + "id": "PrismaCloudCompute", "title": "Prisma Cloud Compute CWPP (using REST API)", "publisher": "Microsoft", "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", diff --git a/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json b/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json index af2ad564a6b..3fa9aa33883 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json +++ b/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json @@ -4,7 +4,7 @@ "name": "apiRequest", "kind": "RestApiPoller", "properties": { - "connectorDefinitionName": "PrismaCloudComputeDefinition1", + "connectorDefinitionName": "PrismaCloudCompute", "dataType": "PrismaCloudCompute_CL", "dcrConfig": { "streamName": "Custom-PrismaCloudCompute_IncidentsApi", diff --git a/Solutions/PrismaCloudCompute/data/PrismaCloud.json b/Solutions/PrismaCloudCompute/data/PrismaCloud.json index ccb2c18aabb..99c81334755 100644 --- a/Solutions/PrismaCloudCompute/data/PrismaCloud.json +++ b/Solutions/PrismaCloudCompute/data/PrismaCloud.json @@ -4,7 +4,8 @@ "Logo": "", "Description": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)", "Data Connectors": [ - "Data Connectors/PrismaCloudCompute_CLV2.json" + "Data Connectors/PrismaCloudCompute_CLV2.json", + "Data Connectors/connectorDefinition.json" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\PrismaCloudCompute", From 559144f16ea35443a88d6ba4005c194c431f8a53 Mon Sep 17 00:00:00 2001 From: v-amolpatil Date: Thu, 26 Oct 2023 15:27:04 +0530 Subject: [PATCH 6/7] renamed the prismacloudcompute solution name --- .../Images/Accesskey_details.png | Bin .../Images/Accesskey_results.png | Bin .../Images/New_Service_account.png | Bin .../Data Connectors/Images/access_control.png | Bin .../Data Connectors/Images/add_option.png | Bin .../Data Connectors/Images/console_portal.png | Bin .../Data Connectors/Images/setting.png | Bin .../PaloAltoPrismaCloudCWPP_ccp}/DCR.json | 6 ++-- .../connectorDefinition.json | 4 +-- .../dataConnectorPoller.json | 4 +-- .../PaloAltoPrismaCloudCWPP_ccp}/table.json | 0 .../PrismaCloudCompute_CLV2.json | 0 .../Data Connectors/readme.md | 0 .../Package/2.0.0.zip | Bin .../Package/3.0.0.zip | Bin 0 -> 8254 bytes .../Package/createUiDefinition.json | 4 +-- .../Package/mainTemplate.json | 34 +++++++++--------- .../ReleaseNotes.md | 0 .../SolutionMetadata.json | 5 +-- .../data/PrismaCloud.json | 16 +++++++++ .../PrismaCloudCompute/Package/3.0.0.zip | Bin 8197 -> 0 bytes .../PrismaCloudCompute/data/PrismaCloud.json | 16 --------- 22 files changed, 44 insertions(+), 45 deletions(-) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/Accesskey_details.png (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/Accesskey_results.png (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/New_Service_account.png (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/access_control.png (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/add_option.png (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/console_portal.png (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/Images/setting.png (100%) rename Solutions/{PrismaCloudCompute/Data Connectors => Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp}/DCR.json (96%) rename Solutions/{PrismaCloudCompute/Data Connectors => Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp}/connectorDefinition.json (92%) rename Solutions/{PrismaCloudCompute/Data Connectors => Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp}/dataConnectorPoller.json (91%) rename Solutions/{PrismaCloudCompute/Data Connectors => Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp}/table.json (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/PrismaCloudCompute_CLV2.json (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Data Connectors/readme.md (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Package/2.0.0.zip (100%) create mode 100644 Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Package/createUiDefinition.json (77%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/Package/mainTemplate.json (92%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/ReleaseNotes.md (100%) rename Solutions/{PrismaCloudCompute => Palo Alto Prisma Cloud CWPP}/SolutionMetadata.json (77%) create mode 100644 Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json delete mode 100644 Solutions/PrismaCloudCompute/Package/3.0.0.zip delete mode 100644 Solutions/PrismaCloudCompute/data/PrismaCloud.json diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_details.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_details.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_details.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_details.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_results.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_results.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/Accesskey_results.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/Accesskey_results.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/New_Service_account.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/New_Service_account.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/New_Service_account.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/New_Service_account.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/access_control.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/access_control.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/access_control.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/access_control.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/add_option.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/add_option.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/add_option.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/add_option.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/console_portal.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/console_portal.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/console_portal.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/console_portal.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/Images/setting.png b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/setting.png similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/Images/setting.png rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/Images/setting.png diff --git a/Solutions/PrismaCloudCompute/Data Connectors/DCR.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json similarity index 96% rename from Solutions/PrismaCloudCompute/Data Connectors/DCR.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json index e3f2fe8f478..ada411f2056 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/DCR.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json @@ -1,10 +1,10 @@ [{ - "name": "PrismaCloudComputeDCR", + "name": "PaloAltoPrismaCloudCWPP_DCR", "apiVersion": "2021-09-01-preview", "type": "Microsoft.Insights/dataCollectionRules", "properties": { "streamDeclarations": { - "Custom-PrismaCloudCompute_IncidentsApi": { + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi": { "columns": [ { "name": "_id", @@ -110,7 +110,7 @@ "dataFlows": [ { "streams": [ - "Custom-PrismaCloudCompute_IncidentsApi" + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi" ], "destinations": [ "clv2ws1" diff --git a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json similarity index 92% rename from Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json index 091be7fa0e9..13fad019289 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json @@ -5,10 +5,10 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { - "id": "PrismaCloudCompute", + "id": "PaloAltoPrismaCloudCWPP", "title": "Prisma Cloud Compute CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { diff --git a/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json similarity index 91% rename from Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json index 3fa9aa33883..830c5002f61 100644 --- a/Solutions/PrismaCloudCompute/Data Connectors/dataConnectorPoller.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json @@ -4,10 +4,10 @@ "name": "apiRequest", "kind": "RestApiPoller", "properties": { - "connectorDefinitionName": "PrismaCloudCompute", + "connectorDefinitionName": "PaloAltoPrismaCloudCWPP", "dataType": "PrismaCloudCompute_CL", "dcrConfig": { - "streamName": "Custom-PrismaCloudCompute_IncidentsApi", + "streamName": "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi", "dataCollectionEndpoint": "data collection Endpoint", "dataCollectionRuleImmutableId": "data collection rule immutableId" }, diff --git a/Solutions/PrismaCloudCompute/Data Connectors/table.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/table.json similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/table.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/table.json diff --git a/Solutions/PrismaCloudCompute/Data Connectors/PrismaCloudCompute_CLV2.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/PrismaCloudCompute_CLV2.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json diff --git a/Solutions/PrismaCloudCompute/Data Connectors/readme.md b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/readme.md similarity index 100% rename from Solutions/PrismaCloudCompute/Data Connectors/readme.md rename to Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/readme.md diff --git a/Solutions/PrismaCloudCompute/Package/2.0.0.zip b/Solutions/Palo Alto Prisma Cloud CWPP/Package/2.0.0.zip similarity index 100% rename from Solutions/PrismaCloudCompute/Package/2.0.0.zip rename to Solutions/Palo Alto Prisma Cloud CWPP/Package/2.0.0.zip diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip b/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..0f853b5d63cea7809eae03b8b3ce973a06674b52 GIT binary patch literal 8254 zcmZ{qRZtvIv#kdY?oNQ`qySe}!KDoNU44qw91o2)ZEnh>l(Ts37Skbwi-u%Kb*KIr(@o=KeP;Jb zVhb6ZvEjcT?P)bV%{RavRC$ACI$%qB%bZ-wO_KG_*3Tu{{TS8T86{2I&eX3VCK4D- z>%X$UtB1Nbo5#%C&8tyrb)9{SH1R<~RryLtP4>MO)5QlTJzRM^MXYc@|9gp%CmMv| z5A=RSLorGXh|hF75n7~N&!rwkZs{NocKj*zC17Z}IC0ybOrDM=qV4R8soPV>`CFyC}R7{zT+$bMFs zI1E+UcyT6m)u1p}CH3NGhA?IxQF!pS&RdzXG?}UT@dTac(kCw6jK3Kd5zA;FUuv6- zokbK27RvE7CpKpQw#M)+F?8ao91W&GOo`CB_`p2A#iLwjxytV?i;nmS*oes$36tWo_pFcNq`qw(JGJ}PL~%L%rl0# zkkF7LMoWO2WCBP3!*SI$VGX6;Cmn?`7RBlp4e{+uCc{l`N^$qf4OMq>U(T@GS%Y`fL{j8nw*&i9w-1USRi~p%5o#Sz$Xzfoz7Rk(GthYd@i3kiPbwjCeJb4(%49}sW*TQQWwoH zaqWW_ub;lQ4LhW&FOiU45D=zw#!m*m>h$Q;y8GJN=R%yg|C|Nk>DS@2kPu{NU4K5- zkjWzlk@&y(7y3WSXj8HYT~@I^#bo!~W9U3IykdW`12lv99>SF-`XD-_BG$cQ2BZwb>2TI{g6`p!A$RQukC4?fn(tQl!j95 z3!NMD0z=$oDEp;NE>V=3gUGN4%UP>n|4VEmS ze2o|Kibr6FT`fd%=Ws-c*3e?6I~s`a$vm8xcA!$Cf2IyWamQz8khvhZf z3s!YELwsp>(O4pLm55k$4-a~HzwFt~G+Qj*FBXcxY(tSeG}|jnez4|vj{vyHmpcn> zJ!PQfj$SvgF-$MY8BDvfA00F-s(OUEAl+fV6y^orj@{idfV9gT@Do$YxMO6*O_N~d(Y z>u4{R`d?f&U!U}sr~q4uMONb=0A3` zX~5{iw!<@z=D^Izg*PsopftLxSb+y^PRcctW5G#bGN#k+SK-`T3&W*ovmS}(9?au7 zs`i6{09TYMD8&AP_4^3e_3*+(l|FRcR>V21wUPF`X7~oWW)5C(4Oi1Nx? zE&;@ZY6~i>2-y{`w-cLjMaWRTsChAlN4$oBnFsxvOa)whVw}cZ#eRzEpBy%Q0ZW(k z(KhV8ql$*eO^s63{Tg@6(|c@trPTg^R%GUDV(3Z&r9C1806^maz&|$vID_q7^sSxU zocr9ri7M=qSm?FyXH=Cl_tWMJ0hP5S=a5e^`s_0uRW}Xz ztQ{_tn=ix9T~CZZ-YInTBqe(_Du|)X-l$UHL=9|>y9qx%^}JGUTL!8^1#X>>(Hnln zIUl49$p-P=o%Wi8Y0#WpUP+XE&ccH(hk{twlckSROXeJIW=ffn?z@|{McnIDRFeihQU(_v zY&rxRzY{TLRuF#GkZrsXwPGnh~vo=HR40xBUrb%)1jo-{`OD6&doeR)CfYPVqBScVLK`P;;1V%t7AFbGERfJd20B z{FzUNkj_EuqQ$rTrVxYTSGn8$sMYdn2eiFL9h-aUX7f*9w~MLN*Efk@F@)Jl@MflC zw>XP!QVZc&I#>k5b-Q5{sISWdI04z}eCXnt<@+fE19|+u@;lbwdU?IsF8AQ6Z>Qsx z?t9uw%`V?$q>ai#KzlkFgOv5$8=Q1NQgSNrb&Rl%@&IKd@F9i~;Z{0^#pXgWg)k!R zI{QjL>h15}q<_3jse6tHs`IswB@%|ioFY6E13QZT>gdp+`4B1|ShvbDhnz}qZ%@m} zrPC~oREvqx-OdhJzn#3p+*bLz;?y7g{L`?jFCm#G{{|R%CpzTCjc=hDgGsk@kz++S zwHC?(?LbSZDsmMPCU9K7okUW7@2E)1>Uv-mb9pSK05XsGC01fi(ANxf;*w{kUX&um zFX)cf?Be#CIZPxay}|yJv$^w^#3UjGwD z?e5p5347id57)d3Dchq3xFXg_$i*M~*+Fc&h$D&<$n z0U-ujRgXmWReSq!shLN`bBt=u5=M_RK?ueidLt{d-ng|j8|Is|A*9Rc&w8f@*aU*m zaWh-NtYHLSnvZP4Xw@12I`Jvkcnw|OhWT=VDlK#L9xw=d8_KeDlx67 zcjA!Sr-4+D=dR=0HYcLZYY@=J26?1m8{!`>6FI)Afs1i5ZZkfm?!A&-q>h$L%`31Esg<_8Upk zc;4w{Wz7gJ$cT(lHv`1A&KnigkVF04)nm!;1>dw3Uhn1B*inwZpJ89T4>M<%L$V-_ zD{)BvmD1lirTV>3TGG*hc*3Bak{>sw3uBZSXboqB^Yw^KC{6o zbj)wk%0`U&eI3}pvSxOnx@NMnsdFVVru>?&%v37?P!&qL(Dc^+20N+Z&45G!j;@Ub z(`ogYmj)X*ZhG}!4iFP8LDkPWWh@1>hUfw9szV zMpthK&hHanNCe6yn{oYWU*?}p&`Q&PID0hH)2sUTt9#Fz=pA0Y%~I81lDEwp2>5{^ z%2-{-V_l#Xgrw;$$Sb%(B`|xAPIHZIdDbNrdy{ zYBFvND7|Qen`{qnhfm>9#hvv24zA+1?loB1p;LGu?bH!4mr~+hCcq9av{o07?9VS9 zeSMyK)t$sA{ZtTwTe*O8=jGZzLi+rJNYCBPC_hCDi1izl&oofqUSLmE_Bx@Tk{_pI!@J?p`SXkPc=yo3{YdyJYAV)lERoeH zpeZ0JZeuq2B?L8QFY@R?1o z%@^uGP}LiXjO8Z2&hS`nO8f_1CW5ss6m&v`9KW--{IWR#xnN5>?vEw zE5xPyiL}!!cXSQ(+z1;#82W3PiPNJX0k%U|HT+@4q`F7pIr!7%UqRPtS>i@_y%Ou+ z6nM^LumNQwUTB4YGKP`?s;JUR?fecP@wKH(En`EzBe3I4=pM}eov}x;RgYdwuBB7x zD+}s3JykV#{DNaOjybKiMv?*63ia|`BXK7sgiE=X_AacC>2e5}@oSwL+ws7ESB^%w z1bVB#mK1tMoWFS^N4eZ8xy3WzdX(4FJ6sL5PNDNV56>0N4?oXrj1PNiI_!~*W(|b+ zMG*YzI0YnD=mha_wnAqeL)9dQRUGXO(#(ho2Qs&n89e(-(H?dKI9u^94`He+eqG|P zm&A~)>NR5Uu@CF7lP^Y%+Z$Oi9GvOqt!DSDgTphjQ1}eW^#x60LO$t>6dd=J)-Uw+ zs++{}ZU6qfv{|pq_D0`7#AG%zNic!X*lc2(_5kpERL(wItb`o(XOYk;PxCPHmz0~bR(8r~n`|^a( z3W_L4!lwL|c!?!rtF|#)-A{t#>u7q^A_)ICe_otj4^-9%+LWrdGmJ9?^={*+Tehvm_K!_9A8%6 zkP&yJstCTxO0FX^mNN4Pf_KzVF%7?m_!oZ&46URol{7G%0W@5H4&P3OWoZ$zm_lJ_%cyemRN0a7ukM5)6u|9HF|oio#?b{c=uTgoXbHre ztBw7M>9#$r#Z+|w{lnC;--7T%WCz94?Nr?koR_2wjz>F+nJu8P);5MK0>=xi0=!TD zVtMvL1}UT^?(;5Q3|ervH$WTHti(jSi4bo_3k88KHWUb;P18?=AELh*Hhak zAg`lSIuXEZ0-<^SOA@VJfQ;2O@ z3=^{aGi$4N&@ac$mEEkyF>V=8hC=T?=oc# zRN3z~*O5rqw{x+6PXS6-Y(_6ri>I7roe@elSYhk|BUvAznhvzdJ6%QH>WW%R^NnPa z9_zCv^IJNz{i%=4RfHaakI~;{^X~5O4_n;h+sK3-r>VibpA7g^f5K>&<1Q-JZ3P>s zjY|NgmhbL~4bgY>{os;~n&uM+0+;ig{+lDwbC^olcgPA4SF`{2q$v8`#zc`D`-&7l zjgNXN8`nv#liyqQifM<-9LTcD^uLiu9yHtznvraryZE5YayS%o>cLmQvBOa;hs>U` zYx5bztJmu8Pb50hs5d=aas|AWKOJKr)p>J3-AMGZAvNO~kZxX$9udI331#tkV>st= zOmjxiKP1H3Im~YH>KPwK3c!vNokMrBWZ+KN-9L^nR+RCcpeEu^2abcbs(lr9GK;Z9 z7JTmxzEM-E*AH6(?9{8*bK&DJ7{KwPPwStLNAVL8JWv$(#U9HwG!1`VI*B4)wFwmh zyM~`8{EY?W-x~x{c45DK?(DN@oe_-XRxZ3JAU;zqus!fYj3PlY#nMVO7@1A_D<5cgOj;G@u$vQ-1#&84LwP(?bFhB&|`?&viMV3S2?*1>w z>z}_)F_R0;qcp{)c9$?8G4#ZK%j9yJSKfGlrh=uJ&485LVPs#2dZ*0+*MqQv!zt$e zah99;!*ql`k4^tQO_*G~4nh73&C|mBAC;Dwa$)n5@Yd zn^#C=!^~He?>^ek)|)P}$s~d*l}_p;4`V;HrRjr3p}|b5u0(8v85=e8q9hs(bRjvh8@LX1%PjLXBvchc6K;y~xq>moDlb@~O6iQkzl~<^jV`c$ zUtH)ZbwV9;3J$~R?h%!c$M43ENqOQ?XB2azVN&x-vX;Pr<2(r(TSk*L`k2WGYB(>U zm}*89^Tmzlz1U-k{Z4(DIrw#N<;BvD354FM>5*m01 z`Xic!Yh$7PUy3j9XN7)SgxdMGY_<5zZa6A`6M8*J=)G(Q2Gv~1kyO@5-np+Wu|j40 zMD%WKCog-NcodZMt`q6+ots7>+oFUQ2%~w*9jVTQR`D$IbFy6uUrKDN-Bd!>6Y*1n zGs~bq0)sr|FYa`yqMM#;J}eh*2@xM57cPl1cld5`u;!kW55W^-UWSSPPT($$v)|&1 zJIz&&Z1`5$=(-1+65sx)Dt9%Kk?Ohn3*vb_k9i1ghoVD$GC21{MErei91@zYI@(rK5~p>>o(-0_inlhurb79EqYV) zr+b5VO{49I%+T)qLtVp(I$K?iZncFDs3p{IZh5XYX}yT9U6HE5P-Gv7pC0Y4yA_Zc zvnSz5h5OxpwM^DGF=jU%jB;7is;tyP5q8e#5lKAQQG8x&#uH!{@h7p-1dBb$`-}V4 zPBXIebIcmWz*w@;aK#8ngy}W*{U)`(Uxx-ambX{qEF5H`H3WD~NgF=X!7%-ZjZjQd z00u3tFNi9!T6g`NU0{t;$3!V(8*Al<4a;a`up;D(u+!)vM=pA<%T^q0@wpgbJaX}E z>_wzSW!Pv&t&|ac5-o}>$?z608n7Mi)b|*pD4HD+EkaecJ#BJ5+(}@yYt%>ZG9Fvn z)b6}raM5B&`8CwII}5HG&B{D8{(X@?$tHs7MB5VDc(t0uhgW8(+D0;jpq;xmD;3?4 zNC+Aerq6K+)|@G}w#l9}LmO8=Huj$o=|VX3n?Dk7p*4lM3Q}!2+P<5=<0|`Z>~EqW zK+B!2}#r`Su39&Y&!$)Fh07Ge?m_tU59*WlQ7em)RoJCX&IU0XMU#`i7bVpWm*P)O z)Vj2Afpaa1;_|hG`%)0fJSve-sWrtA&)bB`+nI^vq zL3=&CLai)^QPxxv-F(|}=vU{2du+dJUy8xZ5zn|EthmuP4RtxiYcT|6CEGKz%d{9Y z@WZt{49SZ5(B)7g``Y+NtK)S4d2jAh5Ql1&@{Rs5^@SncXxH4jieWgdbx><~rEXVN z9*VUX-1uv**+-CrcPrEELD56+Y$*s56b>$VCwv7yjC^SpsCrb2kFq!%o+-HK5PA*T z3w_si$SLla#LkyoeTBO&4%N7VB&sacxqFm#Rv4_F)(_|7| z!G`SzZoZz{P7`aSOC6z>)?{Qv>;w6<#^jJt8|wpJ34myrgY^N86?+(oFI1*=_NhzO zgOTbP5yHr@yw$GTvEJ9gdp+exkxVH$TNA|;z~vXV@gtKr-axnI(_5+KnMs5B1E>Uc zEQ7)H?@)bd1!HN14XLJ z7c1--fQk4L9j4w9bJW$Nph+k4ftRai2TDIQc1yH&HZR^Pspxo(rI&itCiCHJgu=D-am zUgh^y3Fz6h(8# zQfqGA61mNkm^f|26 zBN}a7c}j?dnE6V39uBIRepEm_s8R*6a*$?ko$$I@$Qi*d7rkzl<5MGsZWb{LWtOj* zu;-iqo=#v380i)GyuB|T6y%rd_5YEvE0n9W6{0y~nL{Gg`r5PQQu3vYrMB;dG(%PS zX<;1v-ZHRKMx=M6M9rbD_^GwPP{QFb*-rX2`O)VK7@v?Fjfd4dIXv-&LO~6+^^>Z4 za@Zfk)dMdw@C^-iRE2(0A- zo)9>B{2Yor!(G31X)KfmI!*<)=Np+*>L6=Jv!R5~lFhaJ`gB2>94rZ1n%dHpTy=`# zRmF1P#*djNQlA+f5RAyF5YiqdqW+k77ld?|paADcWItc{dl;H>2dVdc5!{sf+;3!X zIn44nbm-ctPLEoIy5_dwwMqw$zyKr4Xe1g7AR5P3*EB7PTSK#-&mV9|d~v5~2Ye%- zo_Ky+7)Kw6h&r+Yc73$$hEd8j<-f+yN?ahE;Ub|6y>pYrOC1nRgAMjK;jrgD{SAuY z-m*|sMOFEn%*zqY7d3@s+m37Ft(&bzMCA#hgCZE1V6$;6v5a>jOX8-^FprYSYNe|0 zCx5&;+_Ui6^)<*Ie7;ML_#9@eo|28@K+KW*=F^ys%38zq_-@MX+{w2@yJ55;n$dnI zxEP-SM(Etk`{vWl>+5a2!Sln=xiMDraC3K2@XD0Q>}tE@WNEj(Oe{jhg`2KU4!%Z4*M89I}Vw4Y|9+syghQ2nbmEcjQj~NVPx=@C3$y?Khx|``s-wrH!N{3`\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for PrismaCloudCompute. You can get PrismaCloudCompute custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Prisma Cloud Compute CWPP. You can get Prisma Cloud Compute CWPP custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/PrismaCloudCompute/Package/mainTemplate.json b/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json similarity index 92% rename from Solutions/PrismaCloudCompute/Package/mainTemplate.json rename to Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json index 2dbef4de0c9..3f06490ebab 100644 --- a/Solutions/PrismaCloudCompute/Package/mainTemplate.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json @@ -43,7 +43,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_solutionName": "PrismaCloudCompute", + "_solutionName": "Palo Alto Prisma Cloud CWPP", "_solutionVersion": "3.0.0", "_solutionAuthor": "Microsoft", "_packageIcon": "icon icon icon icon", @@ -51,9 +51,9 @@ "_solutionId": "[variables('solutionId')]", "dataConnectorVersionConnectorDefinition": "1.0.0", "dataConnectorVersionConnections": "1.0.0", - "_dataConnectorContentIdConnectorDefinition": "PrismaCloudComputeTemplateNameConnectorDefinition", + "_dataConnectorContentIdConnectorDefinition": "PaloAltoPrismaCloudCWPP", "dataConnectorTemplateNameConnectorDefinition": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]", - "_dataConnectorContentIdConnections": "PrismaCloudComputeTemplateNameConnections", + "_dataConnectorContentIdConnections": "PaloAltoPrismaCloudCWPPTemplateNameConnections", "dataConnectorTemplateNameConnections": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]", "_logAnalyticsTableId1": "PrismaCloudCompute_CL" }, @@ -118,9 +118,10 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { + "id": "[variables('_dataConnectorContentIdConnectorDefinition')]", "title": "Prisma Cloud Compute CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -178,14 +179,14 @@ ], "customs": [ { - "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + "name": "Palo Alto Prisma Cloud CWPP API Key", + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about Palo Alto Prisma Cloud CWPP SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/readme.md)." } ] }, "instructionSteps": [ { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", "instructions": [ { "type": "Textbox", @@ -229,14 +230,14 @@ } }, { - "name": "PrismaCloudComputeDCR", + "name": "PaloAltoPrismaCloudCWPP_DCR", "apiVersion": "2021-09-01-preview", "type": "Microsoft.Insights/dataCollectionRules", "location": "[parameters('workspace-location')]", "kind": null, "properties": { "streamDeclarations": { - "Custom-PrismaCloudCompute_IncidentsApi": { + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi": { "columns": [ { "name": "_id", @@ -342,7 +343,7 @@ "dataFlows": [ { "streams": [ - "Custom-PrismaCloudCompute_IncidentsApi" + "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi" ], "destinations": [ "clv2ws1" @@ -478,9 +479,10 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { + "id": "[variables('_dataConnectorContentIdConnectorDefinition')]", "title": "Prisma Cloud Compute CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -538,14 +540,14 @@ ], "customs": [ { - "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + "name": "Palo Alto Prisma Cloud CWPP API Key", + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about Palo Alto Prisma Cloud CWPP SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud/Data%20Connectors/readme.md)." } ] }, "instructionSteps": [ { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", "instructions": [ { "type": "Textbox", @@ -709,7 +711,7 @@ "connectorDefinitionName": "[[parameters('connectorDefinitionName')]", "dataType": "PrismaCloudCompute_CL", "dcrConfig": { - "streamName": "Custom-PrismaCloudCompute_IncidentsApi", + "streamName": "Custom-PaloAltoPrismaCloudCWPP_IncidentsApi", "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" }, @@ -808,7 +810,7 @@ "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", "displayName": "[variables('_solutionName')]", "publisherDisplayName": "[variables('_solutionId')]", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Prisma Cloud Compute CWPP solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform (CCP)
    2. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Prisma Cloud Compute CWPP solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform (CCP)
    2. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "icon": "[variables('_packageIcon')]" } } diff --git a/Solutions/PrismaCloudCompute/ReleaseNotes.md b/Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md similarity index 100% rename from Solutions/PrismaCloudCompute/ReleaseNotes.md rename to Solutions/Palo Alto Prisma Cloud CWPP/ReleaseNotes.md diff --git a/Solutions/PrismaCloudCompute/SolutionMetadata.json b/Solutions/Palo Alto Prisma Cloud CWPP/SolutionMetadata.json similarity index 77% rename from Solutions/PrismaCloudCompute/SolutionMetadata.json rename to Solutions/Palo Alto Prisma Cloud CWPP/SolutionMetadata.json index c4e73a7d155..6456439f9f7 100644 --- a/Solutions/PrismaCloudCompute/SolutionMetadata.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/SolutionMetadata.json @@ -11,8 +11,5 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com/" - }, - "SolutionName":"PrismaCloudCompute", - "SolutionAuthor": "Microsoft", - "PackageIcon":"icon icon icon icon" + } } \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json b/Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json new file mode 100644 index 00000000000..723037bd854 --- /dev/null +++ b/Solutions/Palo Alto Prisma Cloud CWPP/data/PrismaCloud.json @@ -0,0 +1,16 @@ +{ + "Name": "Palo Alto Prisma Cloud CWPP", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Prisma Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)", + "Data Connectors": [ + "Data Connectors/PrismaCloudCompute_CLV2.json", + "Data Connectors/connectorDefinition.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Palo Alto Prisma Cloud CWPP", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "createPackage": false +} \ No newline at end of file diff --git a/Solutions/PrismaCloudCompute/Package/3.0.0.zip b/Solutions/PrismaCloudCompute/Package/3.0.0.zip deleted file mode 100644 index fb9cad355383b72994bbee020230e47e47f40da2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8197 zcmZ{pWlS6Zv#u9+cXxMpiWhfxw*?k=FHnjWcemmcSt!op?#105iWfWm?oDoPa?Y9g zF_|}+nV)YakGc{JEG_^5Km;^-De3_)U17E00RSf~0D$11YUOTY;c27eAY)_e;Nsxv z0CHh>^Z>cE=sAPd_%Ywb%|F7_5%kennUFZ05Pzd*X*I*mP1?`nOOxU@dxC$dmkyQe zwwt`aBrJ4XG;c%&A+i4Pt)Jcyd%n96h=bd*XphQ8uw&IXGTJss)@E>>2mI`yNf@yIlQ= zI^%aFy4YN0_IpJuugC6Ru{SP!7|U|j-YW3HPu))v1whQ|7U!OViA7^FvbQR>Tr#qs zk9t7PUiWSr6!WE4MG!7dG~Kq!a@z=~(m&JO8KH&MMB=!NWrvHUS6_8elf{;=2^e|EbF(LDX`IhlcaWiPi(=|GC77A_J8j|G=s=_to#uDq^!$tf>3Gaiwww2MF==by+HMoSe{ zBENEh5pcU_u$CWg>F>8voc<`6FBIq~Gbj39sEryqzK(e>Pg#3mXjn&xz3m_mc-($EuwiT_ zY^Q(8IYrRkj4;-{WVJatG|u%BdjWK4ckGcwNL*u|^b|&?@5+ieDE^e{zZb)<07bXw>*Wx`x(0L+$`NEVUe1I@7%ksqzHgp4}HBUy)WVig?Bk9+WW2*8p zJfR8=J*yFM-phMQaEa-jJJ8{q=e+s$#vA32ZPh}3d3*j@m^uNtAX`s^^XIGKwRw#2 zRrO!8b}B1+3$HaHyfGanOHw60ceu`)1OkJ;e(!Z?Wmjn%_?+u&Y&ClxDFp=K!ehj2 zU+bIG^&qlXPrtypbIwlSWp5&BMTS;XV`Z1kw*BrZkKRCRLe0+=_>EyMr&o@gLKjOc zpD2_WC2P-xNol!AhuI-F`@VrVs9J9fwNe3yw7?5O>Fe{8Ma--Lk@Hm}+85ZwhOJy{ zdFvF7dXjE%Sa7*B;bPp;&B@J)o9C;QXCOEAR}7t2uM>4V0W$-M)j1)o7L<}$lwCL& zhfxB`yeA9Z85tFeS{vP@UrXKM&E@2rU0=fESZxzpogz||+uMP30pE|Qpg*W+XNal! z@E;vdNe~)ajWtJupgc??@F@GM#2~W`P;z@uQ{U9|*#vA83j`H+d~u?5&64G`wlofg zaen8L4Qyq?N?A}n`bYOtNAShS6&&hJ9rdk<5~^h4+}6`O@nX>5_6E2=Jp{{CfxKN$ z8`w~-UwDcOe!9@!M>-a6@XmiBbh;Vb*(rDI@VMd3_SU_Uu&45a*Ms{PXRm!c&5ppN#-Z~-h3^+!epi^_yPm(Fs(A5O;0KXt z7JCpyROczLqK~U^vnuBHrDZvUsm}y$Nm1uLw?0TO$Ld*ZWa_r^-?z#<<>R+YxwNZnLZa?_;@97^J%?kpu@V2zDw0(!G2RG@RKMZeaDME(Spmo7A|aq zq+ zfiA?HLF@b}TNrI05$K^`T+nqyS zNFE7hdZU9n(bwFS~n z&z%UUJ++WtEIJE-Se~ldcF$dWJlTr4?JL~-ozHWb?{;Luq;<*q(k@oOvU#tpflPRs zRGRpM!ZkJm3;6IVH=Uy0*I}6arSHKqY>yto8%Ki>LKb;*c_P+JBOXYRG)VT`mn6&`2f4(zp+I7|RuL zn1=X8&B5y?y<@BtP`Hh-&?wtr0_y zBf}+6*q@ByNcalG5V>~Xoua+AFU?O(NDP_V$BHNLgC1Y69LcfM@|F=G-}yMqb|0lN z)|KO#^~(C}j13xq1hz)E8C$zX%(CptP@!d@n%v+iL7#`=YE10L(=#BmobVl0qKk}; zb8KIDiv};!8A=u)`jf^XtRMp^UR*vumlVsOyAsJA+q6m9gr&BDB)QX5u zKS26z$fh1qb`_G=oFLI}<9c0v3CR?N_v}HB^n>2K*k%baDAap5Io8xiE|RH-m$Qs# z$7^T_1KHp%KZ#Mt$z#?7G_rV&;J1n&fu2?kCPDh>aFe#CPUL!u_uZK?}Nu;miA&TD%?M(c+0R35r{|qBO7Gx0I3f4Ja zu>9(~5`l*NqWTphZvk};MXz$K1761Cu{pT(YRb%zt}ERTyK_(_s$~?~zeVSyl%}jn z1$Pt6rEu23l9Hty?}^!UjU;)VGEtRWEFCOhR{NB&{i67Va#pQ&BHw1;)Pf-aF+kqo zz>#bC3H;2aXzDS4cy9*0+jmkuEB7W$nJ}&9KeDAlH~#Cap4)l%jP{<^M2hQYRImcD=#+|;QBYb^0$Tv&4d-<_Bx@2hRyc28#XE0v5z_34V@ z`q!e%v~W7z$0*-w$@;XSuzKVuO+JM)4U0{NvPE;sQoi<5DSz2oap=6&8eJAd|Krz% z1khQDvx*+cvIcnIQ@cNlvH`!OjhG#GQ!Nh5a)XGD-pQ%1o}G^2=7p53wtv!mErU2f zx39!;HKF-0{D^kMPQE$TvMEvvhEZ+h=jPuc<(s=gqPR=0xm$&DH5u@h%{)qA8cBEYGRJ)CQr6Gl^HpV;ta5XvS=dz8ITeTpya8_#s? zTPQWLBI}h^_l-L*yIJQSdmZu`_w{H_>v|{bxaVrF$fn+994%Ss=H56Kr~x`z)Fibd zZKG(tq%MOH1`&L>fkO`fBCWS%hmle^OK-Gb%<0+pm3(Y;KD>5qmIl#Ih$a`ag0k*) z2J}xZaZE+?A(+C~w@1VLkf#QiJ&6?c*wy!;{(!9dIk(NFOctbB5#$VeLhl}s&HWnS zEi5xAcJ|~O(i$4$$tVHSNHUcD4dtgIAg2&&G+@RCAwH;p#Hh!jE@L;8jI3fKm?Q~r zhd=(u&mH z#}PgJs}S@Ctsh}Zk3Ndi+$QQc1Dq(w>n#+3`%QnQ zvUbmH(g^SyG9F1O1irGQOm$r#&)=#DZJI0jBYXY{(LDR*AK85h1TGkz68lhUra~28GS~`p~CK<@WoUQZNS+jf@ zCXXbq4JnJsW;E-SNqI#^n>q43(9=w1Wo^+jlX&Uhiq;KccP2E;h22@n!6kras*nxS z2(IxWz{HTtCjE_^9e?Y`%6>lVdSyjH1j>+Dy#l@^)n!EeJJOZ3$ny8E<#d}_j|jio zof&@GJT}$bnJsNJL$RJzk!0rr$d=Qy^L4h2WF*@HJ+qgRfo@U6C0fU6#z@5-nY;4) z`VduwlZ`;AHq4`wW?tZsC*Q{(yt~xec|40VU#j0nS^5RLTi;@+C-F_&GN0FThh~-Y z(q|3u?om;DK72isSAuz#83RS{H})#S$Pmq`4gKp+FQM=wj*9hJOIe}>qAcwh!*vL7 zcL0IOj>>hEJj{;uojNl|i-_BVbcP(?k`=I|XyyCe?ZdjRP33d;u#WJlzm3AGZoyBh z$bOm@l^$Z^v@Q%^fC(dW#d>#C{1rZ=L|fh~raomwKcc8lPuM)Ba!-(_Eb&6 z55ra@p@+6#RDw&|D6cr^ekkb5+xsZ!Y3&}PgM0p@vcO)ug_ z#X?~nzW2v+*+iY`NNPmcNc)bkD-ww*w|<-9{W=Za8IJY_r`Ha(1hcGx>Uc}xUTh{; zEpHPyVNB?^3b^li4-B{@`gtu3i}2D5q}frCA8xnKRZ}yA&pG@=b@ctY52{g22jl*u zg9`#bm&g-0H1d@&15DSdhgR6uM|;5`VPwr_{G14CT)>};~amvd7k_%ULOXMD}gXN0WYT9;WGaieZlC~|lScl)~`nr+k*Ucm` z)+bBozkF#st_{mkf)t5`4EbV9<#Tk+9M_)bhTh}EF;EaoTT62Ng>p6Src&IRzY$%i z7$9O!^@O*Cw5Q#;Ox2`nT7S&@XMrtXdn9@u=`-3Rtn9P&+`l_1@P6nqUx^I-gi60o zjC#o%xC(9(Jz4jPs7FX1OO1*{5M^Ko^mf5BR88|Ymhwa=12G%!JVmT~tostMEGgPH zp+VeQZEgs-!Xr&uGec#!>~}KpBeYHGh{sS(xbIv49uVJj(|V*x8IJ8dMtVeoN%u1f z7kCICKU3!ri`j=){5(DYElzkI$;q6S6Mgpx=w=`%=`%@=%bSikv5{QoC%YF>iYm0| z_jsJ2PptfN$Qod;T)UaOGVzYg-gWA+8G1H)k^ton*Zx`LufB?^)_Ad#V&`)+iAKie z@Y`Wm%@7qzMtA%se27H;HpjYYjtpUhdf+$YjQklMPoD7Gm|3;G{Rm%lv+gg7O?u1; zP)T3x7}0=n8hvEJQGdu^2)pE2+219I%&hJfeF*BG30%RPa!1b%LLXpExoNR{vweyw zjv@OxZ{>H&4Y8E^!8HYIT=*2&*QX4JYY?mDE_dx4k>Vrrrp+#=bjav1m*%+XlgV_% z*4S5eQWC=EC%{5^d3z!M8_IHO#58PT@^q)HWu>SzSq&3Q91+1A%g;=6NDjeg!`cQk z-n+O2Wy8U}6Al<3oaAOxdCg8s-f;qgsCL|Eo|9J|joD)L*Vb3>vfKvyg$ggCJggdZ+@9LY+OzaG{oys-mR zv@V=@5I8=5IlHyO-6>PgU5~V2o(}8aFv$N>Gp!--DcC#;Ej^Gq*pJ-kpxZCL?7qp6 zVqyO7Ic>hoQZb<>>odgAbUPE|>afWsZDEe?HLARf;KSZwOM^O5;9`LIvOQz4H1Q=& zXn}3doPu;L;Ap7iJjuF&uWx%M)AKh?Mj?p2uU826#XJM~3n7NrvaEo1cdxj9ItDgT zVt_vQeiCaLp<_z;0Pap~np~8^oT5hfDj%i+B^b^1p$DU`>)3bm)3qTk*D2KW^J8DT z$E`hYFS?LGZ`Qjwp}>`YLXY%sG|%83j0dQdys2{p+pWu~Q$BQkfG4_pYfs|^XYsp+ zN`aS$i}Su3W{}o zFaKDP$Mop!N?5Of2+P@sgR2TvDPw9q8gmGyk|CoBhPnNWsUTy*t=G`WPR!uxe*Rji z$J${>`pEOIti~YyAL2dIuO^xASCG4q7|0zAUaBVHrR5C0!pFi}i)x0od2@)-X4#XyGG=Q^P*;w26J zQWLRLdIvP#FymviP+Vpd-{*rZ)GxK+Jol)_KC#h?`8aIA78TjDHqiEb1HN;3gDeyG zGt)VHvjv(6b-Z`XcpX&=tanTz>$DQ_NNsL4P+4jMC8-SsEfOb-fcu zk*y%*W*g6`qTG|3As(i6E{6_1tO-=cIyRH_Lx{|JnQpV#Ip~=P%*o)oG(!|3bIE`V zpTrU43vb@WJroe#LI#+CamZL_am18)Ew^=%QAXwFIdsSk(~v&+&vS$I4*}$v&FuO6 z=?Rwc=*WC($Z9^Gnj;40Fu(9}Yb(5S!vwo#Mq3!sLwC>pUo}#LNKZ6}h*mrw-Q(np zY|BpunuaHw#7_9%c3!A2{TEJoTPTfMK>Vcnz$3uIBS%HGL4cvkAl51ltjw(^60t2P zdZ_ilI)!*pU4T)<_Kb6t`$w&I-nZY2w6LM8m&yGK@$cLhzT|S9@uFWr#NvmCO`Y=` zB2Ri$?eoiV^=6av&WW(Cx>ND;f0<;HJXf}N(a?=a1&ui74W}rf0&W*6d8J?Q*6LzS z2)dFT%6Mas&?wxR&VLrsvUUuK%Mer-y`Ek^_`3gD0dF`L=5=rxC?+8j|KJR3f7bbP zksaS@=N)e>bGKF)>_^&Lm!tepHbKe)0zaD+6-$nT?K=9nUM-u~Ekg|z^l#r6BxAs9 zSX)kdP+n|Q-;4d%ij6+0RO46+n*{RQUxZHMM;KM?ib~jfKgUgx=j8^o6YR&07Z8X) z{aO@#i;U`Hh!2qGE{`&v{*AZL`F!@*+kn}?_JTHL4g9U`&*m$Jx;B6j1X(DbpPc*7 zRshT4)?f+TJoJo(Y=twhm@Qgl-a9JT-7=#!(_GZSpm+nP%pP2lywNCnijdL1=an{< zJ?hWdvF+7KqV#leKfdYX3MQRa#)<9LQzi%41u!^cg{MC6KsyS1*#_gMI@{REy1U1F zRc`EM%ad6(xSE}zLt^vU0ZB8rQjnEDkJ$EI|SN#?Z`rj+AsInt}(5f zkO0@sizucovlG9BIy6^>7k+J;#qFxPo3%C8B_Vb39A_+VnS`%J_4h^Tn3Ihiul{0b zciG*$i4V&nJzc0z>T44vQW*U zFQu(|p>L)Y1?XxOtY3wBi}CIT%#yr{52ZTPB)8|C-Oc8E*A>fwE-KAvE5q3QEIt=oF0Ip60g;v@!-Q<{EEz)!bY#u0&{&rvxhw1BG;+BvTaDbGi3 zdz97uAZm!N?kjd$wBMOnA#fyQ=h)1vQi?sfADH#MD|r4pJv|Tvhojp^mz*)caNaS_ zqB?Q%%|+Vn`$(lo&J1o z8)pO@`A_dSiXTQK6gJ)ifGwiEsYhzt6R$3tQlLyI8+KcZy#9}PY6z>p;MZ7<&K;`_ zUDs#sxE0au4iCb%2DMkM0OX}*ZzGyco6uq>Um8IWh@U(uU>kLJq1_6uq5J5}-yPoJ zI`nkx8v%GI26o0E4WOyd&PTIiv+WYaX@9`6e%eC92o-x)j|Usxe4;}9gY0?jAep$P zQoR#BP}7nmn`*mjkL3@^RLQkOg?)ocEXDf$mTThNfI_N(@kgu@o%O3@IR{IF_+laH z_Ek0&pZ;9X`b-gdv#tC>iM@Q#kAVjNXw$WM71@;-fAU8+0x+)KrjIE-VZ<_lazno8YuK z(ALbD1_C8)lu+xHChD}}R0Zgl#Nd}0!c@~^v6>w6x?EVli>eprd51d|>D)rEw_7<_ z*WkC0o@8njp=NJgIgGI?$gGsHl6z96xF&nlhp3VV>Gl{^T@?F4ucjNd=$QQN{`+g| z!jfj=8J}k%+2GxQFEm)$Bj#CE_`$3ivevRF*EJ=VLu|IFT-|BZ(NqDiQUawrWx}(r z-*~D=KpdU@oY$fKH~d+uLwrLtWbBy~zWS(MI;uc4k1nLBVmTz3jXC`30mjh$Zb9x0 zk)xnXWwAU6s1_t#qQ6O~0jnO(3>Ps+IN$o)igx;k|vaJm>r#v?t8ML!Govsw!W%za&?) z(S1K81&mwBicj^5_A~5t=hbvgCDOI4s~7oHh{_LN1G+)7n=rg1uBKLYWD%xq;o*8* zgD&)VLJ2t8@nmCY8rCJA41u92{SpxFh#Qn}cm3f;LH*2hu>+p`Em;Cn-;JsVqqX*otDHw1JXjAtcjNp~`@m3Ff`Y~c{O_>+ALjr-0Vw}d s{>A@--v9q4{}U", - "Description": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)", - "Data Connectors": [ - "Data Connectors/PrismaCloudCompute_CLV2.json", - "Data Connectors/connectorDefinition.json" - ], - "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\PrismaCloudCompute", - "Version": "3.0.0", - "TemplateSpec": true, - "Is1PConnector": false, - "createPackage": false -} \ No newline at end of file From 9521587ba6f763916ce663a2f9e480c7bee4a7e4 Mon Sep 17 00:00:00 2001 From: v-amolpatil Date: Thu, 26 Oct 2023 17:08:38 +0530 Subject: [PATCH 7/7] updated code --- .../connectorDefinition.json | 10 ++++----- .../PrismaCloudCompute_CLV2.json | 10 ++++----- .../Package/3.0.0.zip | Bin 8254 -> 8246 bytes .../Package/createUiDefinition.json | 4 ++-- .../Package/mainTemplate.json | 20 ++++++++++-------- 5 files changed, 23 insertions(+), 21 deletions(-) diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json index 13fad019289..da741638faf 100644 --- a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json @@ -6,9 +6,9 @@ "properties": { "connectorUiConfig": { "id": "PaloAltoPrismaCloudCWPP", - "title": "Prisma Cloud Compute CWPP (using REST API)", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -67,13 +67,13 @@ "customs": [ { "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." } ] }, "instructionSteps": [ { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", "instructions": [ { "type": "Textbox", @@ -110,7 +110,7 @@ "type": "ConnectionToggleButton" } ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" } ] } diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json index ccff445cd79..f174ebe5fde 100644 --- a/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Data Connectors/PrismaCloudCompute_CLV2.json @@ -1,8 +1,8 @@ { "id": "PrismaCloudComputeNativePoller", - "title": "Prisma Cloud Compute CWPP (using REST API)", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -61,13 +61,13 @@ "customs": [ { "name": "PrismaCloudCompute API Key", - "description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." + "description": "A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)." } ] }, "instructionSteps": [ { - "description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", + "description": "To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>", "instructions": [ { "type": "Textbox", @@ -104,7 +104,7 @@ "type": "ConnectionToggleButton" } ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" } ] } \ No newline at end of file diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip b/Solutions/Palo Alto Prisma Cloud CWPP/Package/3.0.0.zip index 0f853b5d63cea7809eae03b8b3ce973a06674b52..cc28f4c9510055c7c8851d65f93e1fa94a82fc11 100644 GIT binary patch delta 7437 zcmV+o9rEJ7K(;^|P)h>@6aWAK2msiHT30An=TJ@t004>+000-0&mS6*H5f6OQ)~s& z&1lmWLmU*ebhf!rq{gG-x?TSJj?}yDq}_&nF)Z?Qug^Vq`tTxZwBl_Z|AAUP2`1jwnyXBLakgHH)M(U88=rgKJq@++9T+4< zPIzFfzAm`oIam@RiBIl`4pXg`V$~hck-&H2BR3fxF1bXQv^NWmBE`Ni9cF;35rwTS z{~+=eLz6z8x7jg#6R(6_mx~gA!H`AkGURgOBdLC)*K{Zp$b^zbP9~RnrLnqu-`vG` zx0(lRBQm=t1K)jHe4xiQh}GJ*&(G#+u8xj=)fUcszHaiV4IL z@Fr|rkjmSC!D$jRVR zlWn2Uaw+M>_`P$EJYv@~E;T!sBswz!bIztxml>PBo6S1E3V#(BT*VpOCA<(x>coPGoq}KhV z6T=>Hw2DlnzzC=GumZGyq>b`~^wcOgU~!|(Ef$Yb$p{TFmmgp zIz?BIu9cR0B>+hUWK`)Yvs9EeT+46inzIZFAT280GIvV0mfD5vE%!7{d>E*6V0!7~ zsG#k;&Jqxcsk}9ogd(4PhcU{6rI+Z+L6J~^)XYwRXPNJAF6;DvIKN1)Eg4;;8ZDkV z_j$~&r#b@(h-_NbfrMw0TPj`7!s&E2?$AMyGb+woVsI@5Dk?GY^wYvQNj+CYX^B?n zQQ9beQvZuK6jwx{(N$%)_?KV>6wOgGrB{uw3*Bsz+UPNeT#|Da?$%qi*rkc-@y^ed7JC zDH^_PnLcSP_pLtkB9|`|I*4G>wg6I>*VYr?JFiMA!6VuRDi&JbJ|;{wDpD`GbWI-g z1#h~C`+mx#PWi!f(fHsQ0buvSO)8O5m$(V=i^yDKHA*IbYy*sVi3!V=M(4i&sNbm9 zxZGMAC>>9P#Y>Y^sFiSikiRmpGI*v z_gZN52cV*<>f)vtFVEk#q4d47+X99&yoGgqZu0X&P)Av#u`|7a2&e` z$CKmnO)yOLpEMTjA&{)K+a7|SpI;4;Njr#Ldy8bB;1TwllMIP$GU|21mp0IkG#8_K z`+0hLe0m%me;*y6jL6|b)ooomRK?8~7I3QboR+qK3!{q*+7SlQk}p6y@xy2!MonR@ zWmYYAuYG-JOg&(F2L%~f%-jyM5mGYg>aLaSL86BU{D+W0YiPl-xK~r(IFP;Nl1lCi znDZj602x;85sropFdD~qPJF^@xiNeC%qMdEh-ce0x74)i*mhb=VdLvVD%|XRM>7 zzEBOcn}$7Tn=L*|9*$MpnTv$j)>cX6GOLl=Fh@2!EglP)bjWfei}Ek0g< zOKC*V`#7hK5O}O$-A%4F-`l58*(h8+=aYfVF0h`<&9x z{ohba0|XQR000O8ZiZS{$zLpd>KFh50E&~M24e!5;j;$^^#OnF1@WZFZ8l-V{^hIQ zz@p>_XuV6{y-u+mOvIOy;)2L{{3e;mbGIN$=kCEI>*(7Jj>MX_z4L&Q)tb>o${RYF zqWt<#QI}Vt^-igmM6j(3+Y8Z&$Mw%eM5u40Q!k8Nbo%4PMSa7Z5qz9CfyK8@Vzv$= zcqyHk;)|TRTW)`x&mD=1IIxHd{}kR=cqNa7HK)l$OWQtEf6mmavyB*#1LNV-w22w6 zr#0bwZoaZ7)xYN>@f1>q`V!~g!AuBamFjsP_ z#7tEuD&HVKDD{1LNbd?{ok~~d+-(?@4haQ>%B2EemxIyZ)vPoOx@Ksig$XZI7hB~4bW$^RFI=U1^a>E2yT@XXIPuus#mR=EFCFbY@+avaIcRp961Wbv;toRZhJ#=+UU{IqsP*r=PMuI z5qw{15F~#}uant}jND7?#1UZ+DXm=B<`~~KzeVwDZrZF%YCWl(BWqpP4r7)%fz{^R z*TjKKzYU6$mp;G7zjD?CL78zn$Qvfz>1;7f+)HfXax(cB(oE1I)8FM4bj8K}sXSUP zQk+Oe%7#6C!BOj_tTRniONGk!|LE$i zFlE^UmGzv-%yv$!V8ixQU8SpAU7b~FdAAJ}QRziax1RU_ScPp`lR47r8z55=hBl!N zQf6N!?XB*1O)4-CmaR5&x=d;vmE0CiDki%Qw8%?#@S{t9gHW+|te?!EM24OB&_{8Wv-*SNe%KaJ2O-faP#qhxzQco6s_7Vpq^ZO9&0C zzo-=SRhoUfQ)^inCtB2?`q)0`z4}x4YaN(c9=FNaj+`j%2{W~*wXV|VJ93qpT!_v- zhwU9J=#;dc#*~FV`3*ST*~r*^bJR$`&%#?8?Err)QeC$V!LT;qDw}y-F;jF9QxdGu zn=db~(8Xc-fap)jav@_+yH zzm)p`F6MFpA5^OgzM;JdBVY6%Q%uF-V}VXSy)cv;%$zl%iP}N<4mcs2CAOKOv(q=T zrA@Jmu9Km_kst9fVv!wC=tnS>X4Bz@4lREfb+H?l|IYl7ul6unc;SjJ9I^6d@Oc(; zs|cFskke~3*qtcaBkW*tlv*TJvP&?Ob4_64%=2PDpooSN%lnvHbB@O48bKZc%OhZp z8xe-=l}&;ve>J9XY8iWCsz`vAm~qX5xXg$l^68vw3-l_oH|y_Y$09hHo>F;^0zcNE^BaoGL7lhtnn^ao=0Ek?&jCTusLWFTLpAWH_I z<%9f$uE38mAOb*_9W?fRZn}TNTrYpc0XsNMyZtsIE5aQm(Yt= z=5?w`umTH`IACw_CecUTs(?=jDon{0Sg~iww|_l=k6+^e90cqhiZ@gEBRQuhGzb~? zH|#;Ye)th*E%6Y@9XExiJK3-*Xa9v=+|kjG$OZe(CZ4?{9_NC-OATNVdXazZa-N_Y z+oM>ot*)-JxZB_pN{KunHK9y}axaq2lG(HZ81$yV+GM?H@8?XHEI^(yXYzRI3jfMv z#K3li>-i%HG|Ih*>l$qU zOK#N-T~2@=Y)f6wwulXcL%5*yn&8qND_P{(p~0e$?(qa)~r|4;VA zKZu^-|GcjSc!%&gbr63SU`>2H_ua#}fwKr;B7b_X>KY0QVt7$3R@)`R8$($&l+)@y z72yCjE;4Y}HnS=omTYQ4?NF zH(eNc_8GEHfguYOq#G45l*{l}Q_2-I-ik2=zES18l?sThlTd#$4ZF`7+Q8x#&cW-@ zOZ*YFtZ@uy6SI3v+2gqgfzR1Jq09@NTd~-Gr#2<7@oqa0DTf)jB0~@<&FqGd_$B`8 zhs{7wD9}{|dFUwx`z(@Dp`17loFH%uhz?8+e(Insn%n4NbO}_Z_;2}Zfi1`%H(wDR zHiac|8v&zYmvVo}1|d@tmLltiYtJQYe92(pYBkVCD%K~c`eEwBMSxU_vV58=LB|&{ zV_GS0WiS*0lMNX_mLiZ)Y~**=9%&m4Qgd(`UjE0;_G!3n^X}~QO_wZJ6LO9RC*+iJ zcD>}r?VH%^4&QDm*CvQPuj^Ig3>&`Lz_x#e9nY50IL&{C07>%CtZC}bRffpPhUjAj zu##K^^9_(eCkj##d`Eg&td6U%I#Axma!Sx0T(vdc_ZxOTgk6xz(rd7aUwmod-bl(D zf4)5zxivOR$_Ox(6m)M>v{EOOd(6+9_pW9#auK#5e_wG@_F42GHJ5LEaU^2Zh8+WJ zfoG?RCIpj55)*%3-xsc(12ucjG47Du5O05Yb|LB6bFSHrNP5~EuANAF_MB@Jl6kz> zvF2@@BBWd+L9ZZ4nPr!P7{sYraAWnQ@zh@WIggq0k*(G*jHR7 zj8h3_`^-9dIiuIe({0%UM@F1pIBK{jD9WFh?lb$GG}5zIJj}?-%OTxoPOd}Bg8kW@ z!JZ6w2Z}HVT_{LM7=eg@_)6R`+Gln;UJNNEy;!kbZYGpvoP~slU}cit46sXPif!B; zg%0xU6tsVF>AVX)Q2{f_Mic_N$1H{a_fPd3pQTr8LLnmzcqd9F!sWEw`iI+uaP>_J zukp&)e_i9?1waF%&U6AB7zvCc`T3$?mQm1Mvj+u@1rT%hbZcJGI3_7WPIcZrx~Inm zQ>-x=02))PH)l4pzk(~X`kXi5dUC{LfLwvm`Hp`+YLoNTvOJrPzLj6 z+2nr@QWKhdE#6MTqcE5x>c_uKBY;y87?=6*&roVGc$dkp8Tv~;PLW#sV)OM(Y+m`$ z#qI_MEj|FXslP6$P5%NmB{4L?qvSJhk+>_*P!E^N3S+j3*`-)fFyU&2wA4=Q0u5!O zBa>F~p!&U83zp@BM8@MDmu*861$M!%lU~UILl3n_ zPYT!tt4{kT0&Ig{BP0Oqf@?2&9{P{G7DbGD#KZnwu8RZ^}RS(DH7> z5ALKt%8)#7{$(A3<#k>BT;ta&RPlVi$8}?;bP5IMOx52q%m19l6dg^`KaSuB&?eJ~ z>rBK4B!36(QnpQyHKGtr3l$e7mY#LtB?WrFI8greopv7g`G08<#otSDAky~hjA@I8 zA5N$fh+^xU?B<2Dq;RsM7H2=o_8XV!H$PxAFUvphuuZG%e&?~8Nm>1#W%S1_n{QYq zKW|$8E{p$nS^Pg;S^Sa8;2V^^?@EXmp{)JTGWNsE);Bp}P3$u$L*K=}lCwKPnR(qh z>fL4Kha}3Boqzb=W#V;*Gq^0gsSs$EdGBJB@{W3!ao_Ku3IL(Y3=EkLGMxaTq9J_t7dbT2us8}DPulL+47!+jE5C2?o)=mN7-@9u*`T@ z=%b@sjluU4Im0sHUDEegE(<=i4EV=cErw;iyTrKpaerG5wtiV|jbUYZD&v&huAGGb zMaygts;}K97>1VJtUh*^+f#AC|77*Ad(^wuSVI7*M`&2QwRcI*QR-FivOaanA=7HW zsfseLKdo^V)8$G4XwJ&V6oKKzo3~I8diabR)_eZT%(r><gX!E`GJ!W5=X*@xZur;%jss zsd*rIyrlz4&H@|At>ElD9OMkd>Ag{|M{xiYXIJqLqU_^Dmom=CrYoLPG-;Wcri0Z1 zGt+vYUUL|4fV&>GI3?e0pH@>LhVDEB(L7y(hDjo#@ohP$ zrA9H-4a$z$I*eKd)k@WgXkE>90I2OQIlk2BFVl{vVZ__Wfr|sD_0F#4j1tl}UkyStbl>FdyV!NnE16bG zvwwIZ@ez&X0E3dS>o$_*Zp_J2q=E)2OrUNWmwda%kPl4a zk&B3a8`Lk4J+QjTWM9YxwX(6zTZM`SEqkBc4#)V5(Q=C+Y$ajM_Nj*ywfhm@w5x!+ zmJmu&y|w7pPtzg@nNAnq%zZoHvjtJuxqmn@5Sm>+ql-sJ$Dhjux#05Wg%5siHP3&c zVem<#4N1n-kW$*Yf|`xL?(QzjSj)VfWOBQVh%2w>{{XcMfbu3xT{_(?+u8C-@Dc|r zw&rb)TNHi^o~%?>k73rUB^~2c8fZ`2T?ZCyYieQkZjpA4U4BEc8z4JLcuTL#q<_yk z#$AIJe(dGk_hV5tptzp$aYCQf*4M&H@?>7GZ+yz5&)2nvYpsmbEzOFMk zN|pF78g{@mT2(7rxHtAk=|+kJt( zD+pGGfkCk{3<{E!K__TdhA!6wpfjjehWGQkPFzT zbShtSBig(hx2_ALXn0X$D54)==2bEmMmJxISoF7|3X+=1YEUM1kToa*XxYIQS(s8k zIh@zG(c&dQ_x4t|>r&Iv6g=1;gIQAR^b4C3?J^r;A6PH0YKN#Pp8)xtTM3(bGNJ*D zq!Kh>5!Z!9*{V^+*^Xc6Vt=^pcz3LBIi~j+C)3G)=4(wq6W1C{SOs@YUJ{?M?=CJm zF~>)`4aMD{A4Q(?dGLyWw)}@~TQHrkFn2`641KMiVIzBmi!Wb^Tt{gBz+v|4)y#FT zUc7kX`%ftSZ*6>(*%1SLCyejFmoZCk_1#3eo&-1~fm@4&h1w`0%zvVXQ@B6H8$Q-; z1$Q*Vn4JgQM2CS3#^RsaQ@F;q+ZpC90~CP68^L*dv+;;DgbN5(>y8z``kt@r*$HIJ z1FB0WUfLQf5fdbndNV9Zm7YU z3dQTdCndI_83NurzJDaY;XDctbczPswD`gI{~NxoG}$T2i?IL2r4kZOe&Nl;iJDsWs(8gIVC2^L3o+`(RR2k z$Lr-Thiw_n(=@tvhxzGip5scyY8=sNj%;=dYF9*1i)QiSkbl^oZk$n56L&@MbR%|6 z)TZIELVNM80hJwrygq@uUV%E@z+C@8+>k6fSzkuXrgieVu^976*>>7ls)bg~3$WE< zX{4nT}3t4aIOlIOFhhP7kJ^HNPS}JqVJON$Ht=g(Ci(mb| zaJ$&Z?RLR-uj-~%-mSIlsYBD~fRz*2 z3=KbgX32UK}AD6|}*Fxw~ad7z9wNyZR*qB1&{9h*-$ z|H32BtMVl7z?Xak9L!>x)OAqnVBtiVQ#MO#mw% LBnF%x00000i^*K> delta 7428 zcmV+f9sA<8K)yg1P)h>@6aWAK2mmo_T2}*0==4?w004xM7dA0oQnUrq&1lmWLmU*e zbhf!rq{gG{rd|H~j?}yDwB3e%F)Z?Qug^Vq`tTxZwBl_Z|AAUP3MSsxnyXBLakgHH)M(U88&AFNo`za@0|rTv6CN0=uM2K? z4wi&S;*&d~!&IxKSak<oKZ$(B(4>#& zZFUUb#w%gh<)TD?Fl5oX47uF+NUGoHH602CGNELVlgXuCX{_$vH+L~^R`Y;uMP}Dz z;D_&v5A?VOv0B^q`N>?()zQ(f+QQk<5qp2N1_LbTcWeRd`c~ul!W(63_sak5qtY&sCkiD)2C#;ab5txC0C79|Oax%EoWLqe-TuOQ| ze(#(kkJ$Ch2+TPNFB66&XcCZa2X&@`bf1VogpNd8W6>?sVz=rt&CAt@}$ShRwLtY%1w- z=rB22#idezV1!b7SOHqnMp;67Y7`u>xYgzs3r;VV=(9=r7-*l)Uc^-u->3|XymL~W zqAN((N=v;GfTRL4s&kcBDoGoz<+pUrSq24=7M0#HcS^RF+J)>b_cTp>7^rh#dgbP9`d9o)IZ zut{l)gRH2t;Ts)Lu?e$8|`4kkTz!gA54ryg<9B`F|;rZ6*lL*3$u@wzX;`n3C7 zQ#5?p@_f=-?puB6MJ`_`bP&O$Z2_b%udOG(cV3lLg3o9hs90!y`#E7EQIUGdrEBt_ zFL={E-1k!^b;=K>i-rf!2mremZcd4ey2SB+|8tSK#%h#I*cKS^5)+m!jm~}lQNK~I zad~HHoOEn3@a}#PRIm{!78077^nmM4L7y327JL4CqI>#5P#Y>Y@~kQQikiRmpGI*v z^;&53$Dg8^>f)vtFQ@O?Q2Jiky8?z2yoGfB#oxNqsosbtT{V~zcC4agu+7Z z_0TGd5Y{LfeVSJ}p9g32U^HP)%)d2Zqj@ly2i}vzxA!AbeY1m8hizdX+vkXW#yU#s z3)MioY1o5y+2V`j;aIhuxp){&JEM0Xw2(Z5D`CAipOvK2yScSD>2?YIuxBTcg%5Ub z-aObJS0w!lje^^~S9DQL&Am~7;?y}C4d5H9Y?f&Bh<0wV)-S)=KDbZE>~~siQ?C3R zdQgm2`;i|`UOhF>7Z=!=O_v1V-iGhp!}hbF`o1bnwIhS#gqZ5nVJ8Hl^=>U)l_K+t zHTh628{Jy#HqJO0ChfleIGmhcSJ;SLzdilG3+s#=y6D4vZw0KKbZPN_DXYj~Z|U(` zN+W{aXE|+yxU(SduEzBW>@-J>=3T}2!-HY6yN7n4+NA)Bf>1U{NjGSs-ntcBFNHxH z{!4ZxgoXcsVJF0Tv|BZAc#3SyZ#&C7RP5=riD5vc!635cAsmQwL(j<^u-43QpHup| z{~J(C0|XQR000O8TzOgwS8o=bAnF(Z09})s24e!@%(MRn^#OnP3*t$U+ib#!{mWOq z!H$w2p!F_&_d3OPFcDu)iVGs+@tb5K&)tG3ox2BX#A|v+_ zJ8?wVLrQ-uSA{vocg=56{F<9KFZEhOCue6`*R{i#Wj0#1IX4Ay;L>k{;^d{zuko*( z^*~UzcO2yR4c+N%**CZm*TUsw@-L(or$wf}%j?gI1^QEYv|OY(k&Kl0-Sh=Vt(UT% zHc>4VE(_Ey;Wn)OpmxLSx>3NxruGSG-;h8Mca|lmr?vsN1Og?8^}`jfZQrS_bm>%_ z-0ME8p`K4g|M)}QD+TMTlOqc&f2r->)koKwt~RivY>9t#^;Vd&Y=X*q&SYjgCswdw zd#bL|)vd11sKY4r_|sR+Y8p$<}JUncFX?siQoFb|fk z{48B2wT?=9ZIjBDT?bm^B@VMLeJORBJAWER9D_8bG zo3^B3UZ7zy7JH?ghyzDk&jMHu*L9fBe)|?$22Jb=dT0ruVf7c4g1$<#Z+B`ftIdfP zHK;ze4|=cu)cslqrk2NTa<(HQN_)agchp)_>GK_#N=+t2XP?7-#|kJqhh1pDgJ0pDa;5!JThX|OC(uqX2=Y{tae?5dToK7X*!$$QS*`6jO0CDgBD4Z>=F#+Toaf$^Ssy(D59an@;>HUJxAm6#Uc-Iz=uvEoL5|g$3r9f4!hrXvifa+{y@yW#pw9RgzW~D4CIRxWXS-ue2|~e z6&N`NL;&cre}l%p&-eA;FxN|Qzzz=6ZoiGlif}7R^se9e*g^^#6iC>zfGShDd7Ww! ztiXZ<3~)T&B>JdZ74Qi`g({HPNY2;^4MK+f4SNu; zAAZDHODqI($G5`Mop`g#6L?`4-97pdxnSSf#Iu*gf8$)xx3>W-LN5{*=n1;9J&N_( z>gp#6UtPa_agD6%%&B`{40~;1ltv+ z=Z_%JDEA_=BQOEq$0Wk8wiT9#bbM#U^R6_5q!&`^gqso2sF7Xtm6<$P_rN{go<%Y4 zK@9+>f5>(Rq5!8PrNbPDrm9e&yDk;q{)tPr0)e!zrmusN`5YY)1j|L;kwG3}co<0ho>5yiMYbE^Kc9v)Mff zxO-1O373p}Ub8HyL);l({WIQ&cGw{gO-sBtfA9Blb=yv2%kE}b>A$YKX#-f&RW~#_ z0eY}4H9gxRHV_Wsg3@b(OFqU)YiQ_|Toj_inBqtzb;70x`Q&^pxDfK`wMyH1y*&T& z6?B=c-4$W$cq!KGiCDAZ-*$@99dV>G+ zf4&xA9m40-KwQ9X;^VpR9?lJnMF11|(|c8Sqp%=`7sX<=T{65elvP7Ht@^152jIBK zz+KzSs(4u9)PmZt1`4MrQI1J4O^O#HK^nb7OYDXBLJ}R1IJXdROr~)DHh6BjF!Jm( zWSs&-7Ai;`71$`3;jgBYD`>pYVhY?*f91TD3W%+fP%;g>4m1mL0L4n(Z%QzsJ7z2<*x;{Ab))Oitw;0e=LdH z2pAQ+lu0%SnUb&+SwCERE@9(K1`AiKfqSH4eS)eVraoK*NTn!Cwz(2?d=WFImH$=- zLlH1>$N;kRfP~_bwV6*7C|jMi2igWh)Et_IjsI~Iff_F2ygNI6(w48VfBA;H8rb&Fu;bY>7N^+|Aju1wHBH^Q$`3i&5Phrw zR+5Qe?*15bq97H)ccj;T)p2Q62g*(?rv%->C0S#y->~x`?1Ds=UV~Nq;!6wnMpAbB zxpOWuYiyPj0AMO5=-#GirOqe!n4dTAUClh@B5XnazT%|pv*DhCx*^Wqg z+8eH&NP701YZOv>yw|bjMV%s~Tq8lR5J;J2mx36?sabNh7T(Al(0yi~?c4_8y@%bE zd4?)L%E4tAdf4t~%Txp}f1?S75emY+W+C_K@G6Y@9fpp-Y|q4>%OnvT@Pi=QjPa@7 zXEw4PS)~A5U?KPwR|(@(df7g+PF~IEHS*Lgd*H~3(+fup_XI`x^U{50pOZ#<_KJrY zS$R36`^?F8NLjEy-Wm90z&lWcLFhs$LBa?`1jJY3e$hU&)A3?Re<#-;Nv^hE8-Bo|Q#=pM5a{@*{*Z+wHcg-FYG?p&RUE!^H zMdO&H3^~<#_voG;e;Z7(#$*6!Os(FW+06b5F3jq4-hk`L5sv|K1xDvP`lwA#SIhEj zIs)^#H=-`R#{12CSvEvgRec-14gP?a z7B)$$Y)lsU%EwSZe59ZM;$j8b_K|NnDWOnU zqOPW<#=caWo$y#@Cy+ZX@BNb$Ixf&KSrV@c@1H4KK~*-?co|^SiB!-pIYEJxWG`j`gFUFMkR zL=nCbij(^>OeH&TA0|t7kYzmz*$(?QSzwcM6-$5Kx$!6mWE!+)8SERAP6i|t3{55& zIgwx&>{4M6o#e69Klt zuMrXecEPn5JrDgyUW+0|J>p^iE?9SJ9*qXrBIiap*xv=?&ifwbZ;^E)9pdkTeL!}v zgZqDx*|)s|dyNAY0G-p^_E*{tBkCX3^jSCO)<*tT(l_N_f@pcS;kS6w-)l&oH~;94 z!1B5-ey;ID7OJj3_i^3WDV;*WIaBp#&ho#sF-1pH^p7L>ZM4aB;yM%Y0m+|8yOeDc zWQ{09(?Y#PiKS<)a7lsQj}erAn5Uh`eSUv+MDh1h9Ei02u43Av;WriP1ftkFC%bv! zEGeAqsKwcjivGqG{LK&8%q#W}JZ#gd$lrOaW>Rr~TNU=ltf+5TK|jCq{9Q5s?~3_< zvWod5RmeA}h~JehF+#=rp%w0jSF~@k(3;q1P@%qyeKIpO?_#jB>`W@Kn^LV`QC+u!dehp| zuaMrOBDzK#p;tNQE)kZ9cT(Yel#1p(Ya9=&Y22qmd5?m zAh&|E^W2a#5T{p4xfaC%P@LV;KZvrA6J5$UBb#o2PSK=gW}41i2h2?CS$oYny#ele z)apF9AX~L>HXPq;XCc)0FQsRv}+#|uQ zm2)GKeo9d$T{gIQg98@_PV04E%NZr0Z@wCYX6U};+jp_+qE|AllxBbNJmMp6mIF4F zgk@LQhv;K9)L-4*9?y3=J&`&M86H{m&YFL zy2)f;$lSH^W}Dv?DjKwGdv+Tf<1a?bEe5cagf;I^J*24Jj`*fs1=O{KK#JWOIU<>kN)kCAN#kK42QH zsvsEPY&1o$Dt&)+8JE=t`y1UdifOgkpp`+7Z(&!u=x}*;P;AZJ7udUkU}YE>6f47^ zAXyo7f@WptGCcq~gKA~yA7m?o7I~dPxYGN*LUJV>{Q`6)B--J+QoG*4yE638dK!`& zKGLp-CVVe?gWt!PGL2PIw{smo+R@Hc)aac(4T~gI(B*%$Fgw|h3vg6Am9P0G+U$*6 z*M(6uyr?l0(GM{5DwzwTdoM*S`mU&gq@1!Elu3zX4T=C-JlG-&Q|c#&^ZGVgyaecW zZ*{vaH62aC!~SD1OKP2dVN;@AfkXI#_2Q~LL{0ew$a`)jZ0gB~8(<`rpaF}xE-cDc zjVjJOexZMh;jZJ|vAW}!-e#OkC;yo*L;Xx#YA|6H+%$Pfe8RrFxa7nfAL%v}H-ml@ zSwJZ|AtGkzYyJEh*(+Ro`ATFuLh}a>vsbTXu6y<3#S`CuLg{~N zx4%^L0Htfn0e&b?L-QTVq86 z=&VWrDJ&P7;p{SSUqe{6^4E6t+KrTj#r4+;qCwj9CJofK{O!#RHCR)jcpdnp#5OcT zz>5^zb?UMRbUXp~5{u)I~2Do!dOp=4}GWnxuKM*%0i%wRT5wmHXyl$-1JW{ruc9v?PRr3OD-LW*%Rtw$abj-0( z2F>peG-Yl`MA?O`HFPF3agxKYf6g9#R=-=S?V@=Cx|UnDRb39h`sv|zv61e4hZ%or z$yEQeWWX?{ImM(W9s93S;ceS$qh4>LO^vT=rd8gp-Pu!vrqKW^C$JfAELpLvGYv$| z{LbAieZhR8U7v2AKjnN5gVpobA;V9eE|R~{Q|v##5@kbt`vEO6dTOI}gm0d`P1UA- zYtMbUpjciTQ3OzkDg}hn7}K}bbMb!{l7Bv3*w5ioKHO}FGD-|;FcFH>6im^^!#0JR zsW(u@6dq%r_kIKSjz!rlk1Oxh{ON*|_jIv&{x;x4fWlZ+^2R9o#p!RnOd|%P2HkMq zcHAOig$iK;K~0ZYH3C_St**4!JY}7l{qOk>7I_cQAj5fuoplg;;R@27(!2!Oy`ng^XcYac;tCin#BG0 zl7)bSSxl3f4r&!FoCtHuW=VhDvh>X4ljPIvo{wn82gM)B!fe?)GgS(L)6rJ8?cntE z;t<5|>4MYBDPDwLaXMk!&sx&lx<1aPzG*>=0jcqDQeKv?{#T_=tc5?CbwmMWswmvh zsY9={0hL1pa%=S&acbO5wIMlOE~fm*_eB2b{{c`-0Rj{N6aWAK2mlQ+Yg$(WOX&1g z1^@trleHf>A6$7_S8o=bAnF(Z0A0)g01*HH000000096X0001slMEmv2BaSV0000S C18JE6 diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json b/Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json index 21c2cb89a85..ce3065d48b8 100644 --- a/Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Prisma Cloud Compute CWPP. You can get Prisma Cloud Compute CWPP custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Palo Alto Prisma Cloud CWPP. You can get Palo Alto Prisma Cloud CWPP custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json b/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json index 3f06490ebab..45c873f324d 100644 --- a/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json +++ b/Solutions/Palo Alto Prisma Cloud CWPP/Package/mainTemplate.json @@ -51,6 +51,8 @@ "_solutionId": "[variables('solutionId')]", "dataConnectorVersionConnectorDefinition": "1.0.0", "dataConnectorVersionConnections": "1.0.0", + "uiConfig": "PaloAltoPrismaCloudCWPP", + "_uiConfig": "[variables('uiConfig')]", "_dataConnectorContentIdConnectorDefinition": "PaloAltoPrismaCloudCWPP", "dataConnectorTemplateNameConnectorDefinition": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]", "_dataConnectorContentIdConnections": "PaloAltoPrismaCloudCWPPTemplateNameConnections", @@ -118,10 +120,10 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { - "id": "[variables('_dataConnectorContentIdConnectorDefinition')]", - "title": "Prisma Cloud Compute CWPP (using REST API)", + "id": "[variables('_uiConfig')]", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -223,7 +225,7 @@ "type": "ConnectionToggleButton" } ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" } ] } @@ -479,10 +481,10 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { - "id": "[variables('_dataConnectorContentIdConnectorDefinition')]", - "title": "Prisma Cloud Compute CWPP (using REST API)", + "id": "[variables('_uiConfig')]", + "title": "Palo Alto Prisma Cloud CWPP (using REST API)", "publisher": "Microsoft", - "descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", + "descriptionMarkdown": "The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.", "graphQueriesTableName": "PrismaCloudCompute_CL", "graphQueries": [ { @@ -584,7 +586,7 @@ "type": "ConnectionToggleButton" } ], - "title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel" + "title": "Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel" } ] } @@ -810,7 +812,7 @@ "contentProductId": "[concat(substring(variables('_solutionId'), 0, 50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", "displayName": "[variables('_solutionName')]", "publisherDisplayName": "[variables('_solutionId')]", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Prisma Cloud Compute CWPP solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform (CCP)
    2. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Palo Alto Prisma Cloud CWPP solution for Microsoft Sentinel allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingest alerts into your Microsoft Sentinel workspace using the Prisma Cloud API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform (CCP)
    2. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "icon": "[variables('_packageIcon')]" } }