Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prisma Cloud Compute Solution Package With CCP CLV2 #9186

Merged
merged 7 commits into from
Oct 31, 2023
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions Solutions/PrismaCloudCompute/Data Connectors/DCR.json
v-amolpatil marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
{
"name": "PrismaCloudComputeDCR",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"properties": {
"streamDeclarations": {
"Custom-PrismaCloudCompute_IncidentsApi": {
"columns": [
{
"name": "_id",
"type": "string",
"description": "_id value."
},
{
"name": "time",
"type": "datetime",
"description": "The time at which the data was generated"
},
{
"name": "fqdn",
"type": "string",
"description": "Fqdn."
},
{
"name": "containerName",
"type": "string",
"description": "Container Name."
},
{
"name": "containerID",
"type": "string",
"description": "Container Id."
},
{
"name": "imageID",
"type": "string",
"description": "Image Id."
},
{
"name": "profileID",
"type": "string",
"description": "Profile Id."
},
{
"name": "accountID",
"type": "string",
"description": "Account Id."
},
{
"name": "serialNum",
"type": "int",
"description": "Serial Number of event."
},
{
"name": "acknowledged",
"type": "boolean",
"description": "Acknowledged or not."
},
{
"name": "category",
"type": "string",
"description": "Describes the type of attack."
},
{
"name": "type",
"type": "string",
"description": "The Type of resource."
},
{
"name": "audits",
"type": "dynamic",
"description": "The audit information."
},
{
"name": "collections",
"type": "dynamic",
"description": "The collection of resources."
},
{
"name": "hostname",
"type": "string",
"description": "Name of the node initiated the alert."
},
{
"name": "cluster",
"type": "string",
"description": "Name of the cluster the node belongs"
},
{
"name": "imageName",
"type": "string",
"description": "Name of the image involved for the alert"
},
{
"name": "namespace",
"type": "string",
"description": "This is the grouping of the nodes in a cluster."
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-PrismaCloudCompute_IncidentsApi"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source \r\n| project-rename \r\n TimeGenerated = ['time'], PrismaId = _id, SerialNumber = serialNum, Acknowledged = acknowledged, Hostname = hostname, FQDN = fqdn, ContainerName = containerName, ContainerID = containerID, ImageName = imageName, ImageID = imageID, ProfileID = profileID, Namespace = namespace, Category = category, ResourceType = type, Audits = audits, Collections = collections, AccountID = accountID, Cluster = cluster",
"outputStream": "Custom-PrismaCloudCompute_CL"
}
]
}
}
117 changes: 117 additions & 0 deletions Solutions/PrismaCloudCompute/Data Connectors/connectorDefinition.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{
"name": "PrismaCloudComputeDefinition",
"apiVersion": "2022-09-01-preview",
v-amolpatil marked this conversation as resolved.
Show resolved Hide resolved
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"title": "Prisma Cloud Compute CWPP (using REST API)",
"publisher": "Microsoft",
"descriptionMarkdown": "The [Prisma Cloud Compute CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel’s Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.",
"graphQueriesTableName": "PrismaCloudCompute_CL",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "Prisma Compute Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of Prisma Compute Events",
"query": "{{graphQueriesTableName}}\n | take 10"
},
{
"description": "Total Events by Event Type",
"query": "{{graphQueriesTableName}}\n | summarize count() by EventOriginalType"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "PrismaCloudCompute API Key",
"description": "A Prisma Cloud Compute CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PrismaCloudCompute/Data%20Connectors/readme.md)."
}
]
},
"instructionSteps": [
{
"description": "To enable the Prisma Cloud Compute CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Path to console",
"placeholder": "https://europe-west3.cloud.twistlock.com/{sasid}",
"type": "text",
"name": "domainname"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Prisma Access Key (API)",
"placeholder": "Prisma Access Key (API)",
"type": "text",
"name": "username"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Secret",
"placeholder": "Secret",
"type": "password",
"name": "password"
}
},
{
"parameters": {
"label": "toggle",
"name": "toggle"
},
"type": "ConnectionToggleButton"
}
],
"title": "Connect Prisma Cloud Compute CWPP Security Events to Microsoft Sentinel"
}
]
}
}
}
48 changes: 48 additions & 0 deletions Solutions/PrismaCloudCompute/Data Connectors/dataConnector1.json
v-amolpatil marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2022-10-01-preview",
"name": "apiRequest",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "connectorDefinitionName",
"dataType": "PrismaCloudCompute_CL",
"dcrConfig": {
"streamName": "Custom-PrismaCloudCompute_IncidentsApi",
"dataCollectionEndpoint": "data collection Endpoint",
"dataCollectionRuleImmutableId": "data collection rule immutableId"
},
"auth": {
"type": "Basic",
"userName": "[[parameters('username')]",
"password" : "[[parameters('password')]"
},
"request": {
"apiEndpoint": "[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]",
"rateLimitQPS": 10,
"queryWindowInMin": 5,
"httpMethod": "Get",
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"startTimeAttributeName": "from",
"endTimeAttributeName": "to",
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba"
},
"queryParameters": {
"sort": "time"
}
},
"paging": {
"pagingType": "Offset",
"offsetParaName": "offset",
"pageSizeParaName": "limit"
},
"response": {
"eventsJsonPaths": [
"$"
]
}
}
}
104 changes: 104 additions & 0 deletions Solutions/PrismaCloudCompute/Data Connectors/table.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
{
"name": "PrismaCloudCompute_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"tags": {},
"properties": {
"schema": {
"name": "PrismaCloudCompute_CL",
"columns": [
{
"name": "PrismaId",
"type": "string",
"description": "_id value."
},
{
"name": "TimeGenerated",
"type": "datetime",
"isDefaultDisplay": true,
"description": "The timestamp (UTC) reflecting the time in which the event was generated."
},
{
"name": "FQDN",
"type": "string",
"description": "Fqdn."
},
{
"name": "ContainerName",
"type": "string",
"description": "Container Name."
},
{
"name": "ContainerID",
"type": "string",
"description": "Container Id."
},
{
"name": "ImageID",
"type": "string",
"description": "Image Id."
},
{
"name": "ProfileID",
"type": "string",
"description": "Profile Id."
},
{
"name": "AccountID",
"type": "string",
"description": "Account Id."
},
{
"name": "SerialNumber",
"type": "int",
"description": "Serial Number."
},
{
"name": "Acknowledged",
"type": "boolean",
"description": "Acknowledged or not."
},
{
"name": "Category",
"type": "string",
"description": "Describes the type of attack."
},
{
"name": "ResourceType",
"type": "string",
"description": "The Type of resource."
},
{
"name": "Audits",
"type": "dynamic",
"description": "The audit information."
},
{
"name": "Collections",
"type": "dynamic",
"description": "The collection of resources."
},
{
"name": "Hostname",
"type": "string",
"description": "Name of the node initiated the alert."
},
{
"name": "Cluster",
"type": "string",
"description": "Name of the cluster the node belongs"
},
{
"name": "ImageName",
"type": "string",
"description": "Name of the image involved for the alert"
},
{
"name": "Namespace",
"type": "string",
"description": "This is the grouping of the nodes in a cluster."
}
]
}
}
}
Binary file not shown.
Loading
Loading