GCP Audit logs new package 3.0.0

Azure · Jan 13, 2025 · 5de70f1 · 5de70f1
1 parent 66a5975
commit 5de70f1
Show file tree

Hide file tree

Showing 9 changed files with 610 additions and 430 deletions.
diff --git a/...Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/data_connector_definition.json b/...Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/data_connector_definition.json
@@ -0,0 +1,97 @@
+{
+	"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+	"apiVersion": "2022-09-01-preview",
+	"name": "{{workspace}}/Microsoft.SecurityInsights/GCPAuditLogsDefinition",
+	"kind": "Customizable",
+	"properties": {
+		"connectorUiConfig": {
+			"id": "GCPAuditLogsDefinition",
+			"title": "GCP Pub/Sub Audit Logs",
+			"publisher": "Microsoft",
+			"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+			"graphQueriesTableName": "GCPAuditLogs",
+			"graphQueries": [
+				{
+					"metricName": "Total events received",
+					"legend": "GCP Audit Logs",
+					"baseQuery": "{{graphQueriesTableName}}"
+				}
+			],
+			"sampleQueries": [
+				{
+					"description": "Get Sample of GCP Audit Logs",
+					"query": "{{graphQueriesTableName}}\n | take 10"
+				}
+			],
+			"dataTypes": [
+				{
+					"name": "{{graphQueriesTableName}}",
+					"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+				}
+			],
+			"connectivityCriteria": [
+				{
+					"type": "HasDataConnectors"
+				}
+			],
+			"availability": {
+				"status": 1,
+				"isPreview": false
+			},
+			"permissions": {
+				"resourceProvider": [
+					{
+						"provider": "Microsoft.OperationalInsights/workspaces",
+						"permissionsDisplayText": "Read and Write permissions are required.",
+						"providerDisplayName": "Workspace",
+						"scope": "Workspace",
+						"requiredPermissions": {
+							"read": true,
+							"write": true,
+							"delete": true,
+							"action": false
+						}
+					}
+				]
+			},
+			"instructionSteps": [
+				{
+					"instructions": [
+						{
+							"type": "MarkdownControlEnvBased",
+							"parameters": {
+								"prodScript":
+										"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
+								"govScript":
+										"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
+						}
+						},
+						{
+							"type": "CopyableLabel",
+							"parameters": {
+								"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+								"fillWith": ["TenantId"],
+								"name": "TenantId",
+								"disabled": true
+							}
+						},
+						{
+							"type": "Markdown",
+							"parameters": {
+								"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+							}
+						},
+						{
+							"type": "GCPGrid",
+							"parameters":{}
+						},
+						{
+							"type": "GCPContextPane",
+							"parameters":{}
+						}
+					]
+				}
+			]
+		}
+	}
+}
diff --git a/...gle Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/data_connector_poller.json b/...gle Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/data_connector_poller.json
@@ -0,0 +1,24 @@
+[{
+	"type": "Microsoft.SecurityInsights/dataConnectors",
+	"apiVersion": "2022-10-01-preview",
+	"name": "{{workspace}}/Microsoft.SecurityInsights/GCPAuditLogs",
+	"kind": "GCP",
+	"properties": {
+		"connectorDefinitionName": "GCPAuditLogsDefinition",
+		"dataType": "GCPAuditLogs",
+		"dcrConfig": {
+			"streamName": "SENTINEL_GCP_AUDIT_LOGS"
+		},
+		"auth": {
+			"serviceAccountEmail": "{{GCPServiceAccountEmail}}",
+			"projectNumber": "{{GCPProjectNumber}}",
+			"workloadIdentityProviderId": "{{GCPWorkloadIdentityProviderId}}"
+		},
+		"request": {
+			"projectId": "{{GCPProjectId}}",
+			"subscriptionNames": [
+				"{{GCPSubscriptionName}}"
+			]
+		}
+	}
+}]
diff --git a/Solutions/Google Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/dcr.json b/Solutions/Google Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/dcr.json
@@ -0,0 +1,24 @@
+[{
+	"name": "GCPAuditLogs",
+	"apiVersion": "2021-09-01-preview",
+	"type": "Microsoft.Insights/dataCollectionRules",
+	"properties": {
+		"destinations": {
+			"logAnalytics": [
+				{
+					"name": "clv2ws1"
+				}
+			]
+		},
+		"dataFlows": [
+			{
+				"streams": [
+					"Microsoft-GCPAuditLogs"
+				],
+				"destinations": [
+					"clv2ws1"
+				]
+			}
+		]
+	}
+}]
diff --git a/Solutions/Google Cloud Platform Audit Logs/Data/Solution_GCPAuditLogs.json b/Solutions/Google Cloud Platform Audit Logs/Data/Solution_GCPAuditLogs.json
@@ -2,13 +2,12 @@
   "Name": "Google Cloud Platform Audit Logs",
   "Author": "Microsoft - [email protected]",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\" width=\"75px\" height=\"75px\">",
-  "Description": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
+  "Description": "The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
   "Data Connectors": [
-    "Data Connectors/GCPAuditLogs.json"
+    "Data Connectors/GCPAuditLogs_ccp/data_connector_definition.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Audit Logs",
-  "Version": "2.0.2",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
-  "TemplateSpec": true,
-  "Is1Pconnector": false
+  "TemplateSpec": true
 }
diff --git a/Solutions/Google Cloud Platform Audit Logs/Package/3.0.0.zip b/Solutions/Google Cloud Platform Audit Logs/Package/3.0.0.zip
diff --git a/Solutions/Google Cloud Platform Audit Logs/Package/createUiDefinition.json b/Solutions/Google Cloud Platform Audit Logs/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Google Cloud Platform (GCP) audit logs](https://cloud.google.com/pubsub/docs/audit-logging) solution for Microsoft Sentinel enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The GCP Pub/Sub Audit Logs data connector ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources."
+              "text": "This Solution installs the data connector for Google Cloud Platform Audit Logs. You can get Google Cloud Platform Audit Logs data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -82,4 +82,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}