From c8a145b0e6b3c7ef8464aa0c0c8aa19e9296bc57 Mon Sep 17 00:00:00 2001 From: alondanoch Date: Tue, 16 Nov 2021 15:39:46 +0200 Subject: [PATCH] Add data connectors polling ccp api support (#16293) * adding dataConnectors polling CCP api Support. (witout tests validations) * azure sentinel dataconnectors update examples * azure sentinel dataConnectors examples update and fix * azure sentinel dataConnectors prettier * azure sentinel dataConnectors add connect disconnect examples update path * azure sentinel dataConnectors add connect disconnect examples fix * azure sentinel dataConnectors add connect disconnect examples fix 2 * azure sentinel dataConnectors rebase dataConnectors dev * azure sentinel dataconnectors - fix put to post on connect and disconnect endpoints * azure sentinel dataconnectors - adding x-ms-secret to password on connect * azure sentinel dataconnectors - connect/disconnect endpoint remove unnedded 201 return * azure sentinel dataConnectors - remove empty body DataConnectorDisconnectBody Co-authored-by: Alon Danoch --- .../2021-09-01-preview/dataConnectors.json | 433 +++++++++++++++++- .../dataConnectors/ConnectAPIPolling.json | 25 + .../dataConnectors/CreateAPIPolling.json | 369 +++++++++++++++ .../dataConnectors/DeleteAPIPolling.json | 14 + .../dataConnectors/DisconnectAPIPolling.json | 14 + .../dataConnectors/GetAPIPolling.json | 134 ++++++ .../dataConnectors/GetDataConnectors.json | 119 +++++ 7 files changed, 1107 insertions(+), 1 deletion(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/ConnectAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/CreateAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DeleteAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DisconnectAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetAPIPolling.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json index 999869d0ad57..b8b2178629dd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json @@ -129,6 +129,9 @@ }, "Get a GenericUI data connector": { "$ref": "./examples/dataConnectors/GetGenericUI.json" + }, + "Get a APIPolling data connector": { + "$ref": "./examples/dataConnectors/GetAPIPolling.json" } }, "tags": [ @@ -187,6 +190,9 @@ }, "Creates or updates a GenericUI data connector": { "$ref": "./examples/dataConnectors/CreateGenericUI.json" + }, + "Creates or updates a APIPolling data connector": { + "$ref": "./examples/dataConnectors/CreateAPIPolling.json" } }, "tags": [ @@ -245,6 +251,9 @@ }, "Delete a GenericUI data connector": { "$ref": "./examples/dataConnectors/DeleteGenericUI.json" + }, + "Delete a APIPolling data connector": { + "$ref": "./examples/dataConnectors/DeleteAPIPolling.json" } }, "tags": [ @@ -288,6 +297,99 @@ } } }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}/connect": { + "post": { + "x-ms-examples": { + "Connect an APIPolling data connector": { + "$ref": "./examples/dataConnectors/ConnectAPIPolling.json" + } + }, + "tags": [ + "Data Connectors Connect" + ], + "description": "Connects a data connector.", + "operationId": "DataConnectors_Connect", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnectorConnectBody" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}/disconnect": { + "post": { + "x-ms-examples": { + "Disconnect an APIPolling data connector": { + "$ref": "./examples/dataConnectors/DisconnectAPIPolling.json" + } + }, + "tags": [ + "Data Connectors Disconnect" + ], + "description": "Disconnect a data connector.", + "operationId": "DataConnectors_Disconnect", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { "post": { "x-ms-examples": { @@ -1175,7 +1277,8 @@ "Dynamics365", "MicrosoftThreatProtection", "MicrosoftThreatIntelligence", - "GenericUI" + "GenericUI", + "APIPolling" ], "type": "string", "x-ms-enum": { @@ -1226,6 +1329,9 @@ }, { "value": "GenericUI" + }, + { + "value": "APIPolling" } ] } @@ -1798,6 +1904,321 @@ "instructionSteps" ] }, + "DataConnectorConnectBody": { + "description": "Represents Codeless API Polling data connector.", + "type": "object", + "properties": { + "kind": { + "description": "The authentication kind used to poll the data", + "enum": [ + "Basic", + "OAuth2", + "APIKey" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConnectAuthKind" + } + }, + "apiKey": { + "type": "string", + "description": "The API key of the audit server." + }, + "clientSecret": { + "type": "string", + "description": "The client secret of the OAuth 2.0 application." + }, + "clientId": { + "type": "string", + "description": "The client id of the OAuth 2.0 application." + }, + "authorizationCode": { + "type": "string", + "description": "The authorization code used in OAuth 2.0 code flow to issue a token." + }, + "userName": { + "type": "string", + "description": "The user name in the audit log server." + }, + "password": { + "type": "string", + "description": "The user password in the audit log server.", + "x-ms-secret": true + }, + "requestConfigUserInputValues": { + "type": "array", + "description": "", + "items": { + "type": "object" + } + } + } + }, + "CodelessApiPollingDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Codeless API Polling data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ApiPollingParameters", + "description": "Codeless poling data connector properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "APIPolling" + }, + "ApiPollingParameters": { + "description": "Represents Codeless API Polling data connector", + "type": "object", + "properties": { + "connectorUiConfig": { + "$ref": "#/definitions/CodelessUiConnectorConfigProperties", + "description": "Config to describe the instructions blade" + }, + "pollingConfig": { + "$ref": "#/definitions/CodelessConnectorPollingConfigProperties", + "description": "Config to describe the polling instructions" + } + } + }, + "CodelessConnectorPollingConfigProperties": { + "description": "Config to describe the polling config for API poller connector", + "type": "object", + "properties": { + "isActive": { + "description": "The poller active status", + "type": "boolean" + }, + "auth": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingAuthProperties", + "description": "Describe the authentication type of the poller" + }, + "request": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingRequestProperties", + "description": "Describe the poll request config parameters of the poller" + }, + "paging": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingPagingProperties", + "description": "Describe the poll request paging config of the poller" + }, + "response": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingResponseProperties", + "description": "Describe the response config parameters of the poller" + } + }, + "required": [ + "auth", + "request" + ] + }, + "CodelessConnectorPollingResponseProperties": { + "description": "Describes the response from the external server", + "type": "object", + "properties": { + "eventsJsonPaths": { + "description": "Describes the path we should extract the data in the response", + "items": { + "type": "string" + }, + "type": "array" + }, + "successStatusJsonPath": { + "description": "Describes the path we should extract the status code in the response", + "type": "string" + }, + "successStatusValue": { + "description": "Describes the path we should extract the status value in the response", + "type": "string" + }, + "isGzipCompressed": { + "description": "Describes if the data in the response is Gzip", + "type": "boolean" + } + }, + "required": [ + "eventsJsonPaths" + ] + }, + "CodelessConnectorPollingPagingProperties": { + "description": "Describe the properties needed to make a pagination call", + "type": "object", + "properties": { + "pagingType": { + "description": "Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'", + "type": "string" + }, + "nextPageParaName": { + "description": "Defines the name of a next page attribute", + "type": "string" + }, + "nextPageTokenJsonPath": { + "description": "Defines the path to a next page token JSON", + "type": "string" + }, + "pageCountAttributePath": { + "description": "Defines the path to a page count attribute", + "type": "string" + }, + "pageTotalCountAttributePath": { + "description": "Defines the path to a page total count attribute", + "type": "string" + }, + "pageTimeStampAttributePath": { + "description": "Defines the path to a paging time stamp attribute", + "type": "string" + }, + "searchTheLatestTimeStampFromEventsList": { + "description": "Determines whether to search for the latest time stamp in the events list", + "type": "string" + }, + "pageSizeParaName": { + "description": "Defines the name of the page size parameter", + "type": "string" + }, + "pageSize": { + "description": "Defines the paging size", + "format": "int32", + "type": "integer" + } + }, + "required": [ + "pagingType" + ] + }, + "CodelessConnectorPollingRequestProperties": { + "description": "Describe the request properties needed to successfully pull from the server", + "type": "object", + "properties": { + "apiEndpoint": { + "description": "Describe the endpoint we should pull the data from", + "type": "string" + }, + "rateLimitQps": { + "description": "Defines the rate limit QPS", + "format": "int32", + "type": "integer" + }, + "queryWindowInMin": { + "description": "The window interval we will use the pull the data", + "format": "int32", + "type": "integer" + }, + "httpMethod": { + "description": "The http method type we will use in the poll request, GET or POST", + "type": "string" + }, + "queryTimeFormat": { + "description": "The time format will be used the query events in a specific window", + "type": "string" + }, + "retryCount": { + "description": "Describe the amount of time we should try and poll the data in case of failure", + "format": "int32", + "type": "integer" + }, + "timeoutInSeconds": { + "description": "The number of seconds we will consider as a request timeout", + "format": "int32", + "type": "integer" + }, + "headers": { + "description": "Describe the headers sent in the poll request", + "type": "object" + }, + "queryParameters": { + "description": "Describe the query parameters sent in the poll request", + "type": "object" + }, + "queryParametersTemplate": { + "description": "For advanced scenarios for example user name/password embedded in nested JSON payload", + "type": "string" + }, + "startTimeAttributeName": { + "description": "This will be used the query events from a start of the time window", + "type": "string" + }, + "endTimeAttributeName": { + "description": "This will be used the query events from the end of the time window", + "type": "string" + } + }, + "required": [ + "apiEndpoint", + "httpMethod", + "queryWindowInMin", + "queryTimeFormat" + ] + }, + "CodelessConnectorPollingAuthProperties": { + "description": "Describe the authentication properties needed to successfully authenticate with the server", + "type": "object", + "properties": { + "authType": { + "description": "The authentication type", + "type": "string" + }, + "apiKeyName": { + "description": "The header name which the token is sent with", + "type": "string" + }, + "apiKeyIdentifier": { + "description": "A prefix send in the header before the actual token", + "type": "string" + }, + "isApiKeyInPostPayload": { + "description": "Marks if the key should sent in header", + "type": "string" + }, + "flowName": { + "description": "Describes the flow name, for example 'AuthCode' for Oauth 2.0", + "type": "string" + }, + "tokenEndpoint": { + "description": "The endpoint used to issue a token, used in Oauth 2.0 flow", + "type": "string" + }, + "authorizationEndpoint": { + "description": "The endpoint used to authorize the user, used in Oauth 2.0 flow", + "type": "string" + }, + "authorizationEndpointQueryParameters": { + "description": "The query parameters used in authorization request, used in Oauth 2.0 flow", + "type": "object" + }, + "redirectionEndpoint": { + "description": "The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow", + "type": "string" + }, + "tokenEndpointHeaders": { + "description": "The query headers used in token request, used in Oauth 2.0 flow", + "type": "object" + }, + "tokenEndpointQueryParameters": { + "description": "The query parameters used in token request, used in Oauth 2.0 flow", + "type": "object" + }, + "isClientSecretInHeader": { + "description": "Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow", + "type": "boolean" + }, + "scope": { + "description": "The OAuth token scope", + "type": "string" + } + }, + "required": [ + "authType" + ] + }, "LastDataReceivedDataType": { "description": "Data type for last data received", "type": "object", @@ -2087,6 +2508,16 @@ "type": "string", "x-ms-parameter-location": "method" }, + "DataConnectorConnectBody": { + "description": "The data connector", + "in": "body", + "name": "connectBody", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnectorConnectBody" + }, + "x-ms-parameter-location": "method" + }, "DataConnectorsCheckRequirementsBody": { "description": "The parameters for requirements check message", "in": "body", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/ConnectAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/ConnectAPIPolling.json new file mode 100644 index 000000000000..604358122a76 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/ConnectAPIPolling.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2021-09-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "connectBody": { + "kind": "APIKey", + "apiKey": "123456789", + "requestConfigUserInputValues": [ + { + "displayText": "Organization Name", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "somePlaceHolderValue", + "requestObjectKey": "apiEndpoint" + } + ] + } + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/CreateAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/CreateAPIPolling.json new file mode 100644 index 000000000000..64d0a159c38a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/CreateAPIPolling.json @@ -0,0 +1,369 @@ +{ + "parameters": { + "api-version": "2021-09-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "dataConnector": { + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DeleteAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DeleteAPIPolling.json new file mode 100644 index 000000000000..152a8f6f2ff8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DeleteAPIPolling.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2021-09-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DisconnectAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DisconnectAPIPolling.json new file mode 100644 index 000000000000..1c50c5f4fc0c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/DisconnectAPIPolling.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2021-09-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "disconnectBody": {} + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetAPIPolling.json new file mode 100644 index 000000000000..5ac0f2b70c5d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetAPIPolling.json @@ -0,0 +1,134 @@ +{ + "parameters": { + "api-version": "2021-09-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "customImage": "The image connector content", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetDataConnectors.json index e04a20921b94..d73cd2aac3fb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetDataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/examples/dataConnectors/GetDataConnectors.json @@ -352,6 +352,125 @@ ] } } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } } ] }