Skip to content

Commit

Permalink
Merge pull request Azure#11324 from javiersoriano/boxccp
Browse files Browse the repository at this point in the history 
Adding new Box CCP connector and updated parser
  • Loading branch information
@v-atulyadav
v-atulyadav authored Dec 10, 2024
2 parents 0494df0 + 098cd00 commit 2addf2f
Show file tree
Hide file tree
Showing 14 changed files with 2,152 additions and 616 deletions.
2 changes: 1 addition & 1 deletion .script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,4 +242,4 @@
"Type": "Boolean"
}
]
}
}
157 changes: 157 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/BoxEventsV2_CL.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
{
"Name": "BoxEventsV2_CL",
"Properties": [
{
"name": "additional_details",
"type": "dynamic"
},
{
"name": "created_at",
"type": "datetime"
},
{
"name": "event_id",
"type": "string"
},
{
"name": "EventEndTime",
"type": "string"
},
{
"name": "event_type",
"type": "string"
},
{
"name": "ip_address",
"type": "string"
},
{
"name": "session_id",
"type": "dynamic"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "event_category",
"type": "string"
},
{
"name": "source_user_email",
"type": "string"
},
{
"name": "source_file_id",
"type": "string"
},
{
"name": "source_file_name",
"type": "string"
},
{
"name": "source_parent_name",
"type": "string"
},
{
"name": "source_item_type",
"type": "string"
},
{
"name": "source_item_id",
"type": "string"
},
{
"name": "source_item_name",
"type": "string"
},
{
"name": "source_parent_type",
"type": "string"
},
{
"name": "source_parent_id",
"type": "string"
},
{
"name": "source_owned_by_type",
"type": "string"
},
{
"name": "source_owned_by_id",
"type": "string"
},
{
"name": "source_owned_by_name",
"type": "string"
},
{
"name": "source_owned_by_login",
"type": "string"
},
{
"name": "created_by_type",
"type": "string"
},
{
"name": "created_by_id",
"type": "string"
},
{
"name": "created_by_name",
"type": "string"
},
{
"name": "created_by_login",
"type": "string"
},
{
"name": "source_type",
"type": "string"
},
{
"name": "source_id",
"type": "string"
},
{
"name": "source_name",
"type": "string"
},
{
"name": "source_login",
"type": "string"
},
{
"name": "source_folder_id",
"type": "string"
},
{
"name": "source_folder_name",
"type": "string"
},
{
"name": "source_user_id",
"type": "string"
},
{
"name": "source_user_name",
"type": "string"
},
{
"name": "accessible_by_type",
"type": "string"
},
{
"name": "accessible_by_id",
"type": "string"
},
{
"name": "accessible_by_name",
"type": "string"
},
{
"name": "accessible_by_login",
"type": "string"
}
]
}
7 changes: 6 additions & 1 deletion .script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3084,6 +3084,11 @@
"templateName": "MESCheckVIP.yaml",
"validationFailReason": "Temporarily Added for Parser KQL Queries validation"
},
{
"id": "231a04da-9a8d-4cd6-8a20-2da7ded173ba",
"templateName": "BoxEvents.yaml",
"validationFailReason": "Failing for missing coloumn which is already added to the Custom table Schema (EventEndTime)"
},
{
"id": "600db9e0-1c11-4295-a88a-071c79434926",
"templateName": "AccountElevatedtoNewRole.yaml",
Expand Down Expand Up @@ -3631,4 +3636,4 @@
}

// Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End
]
]
82 changes: 82 additions & 0 deletions Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DCR.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
[
{
"name": "BoxEventsDCR",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"properties": {
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
"streamDeclarations": {
"Custom-Box_CL": {
"columns": [
{
"name": "type",
"type": "string"
},
{
"name": "event_id",
"type": "string"
},
{
"name": "created_by",
"type": "dynamic"
},
{
"name": "created_at",
"type": "datetime"
},
{
"name": "recorded_at",
"type": "datetime"
},
{
"name": "event_type",
"type": "string"
},
{
"name": "session_id",
"type": "string"
},
{
"name": "source",
"type": "dynamic"
},
{
"name": "ip_address",
"type": "string"
},
{
"name": "accessible_by",
"type": "dynamic"
},
{
"name": "additional_details",
"type": "dynamic"
}
]
}
},
"dataSources": {},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "4b0f6f0e10104aa5838b3c0b18702683"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-Box_CL"
],
"destinations": [
"4b0f6f0e10104aa5838b3c0b18702683"
],
"transformKql": "source\n| extend TimeGenerated = created_at, event_category = type\n| extend\n source_user_email=tostring(source.user_email),\n source_file_id=tostring(source.file_id),\n source_file_name=tostring(source.file_name),\n source_parent_name=tostring(source.parent.name),\n source_item_type=tostring(source.item_type),\n source_item_id=tostring(source.item_id),\n source_item_name=tostring(source.item_name),\n source_parent_type=tostring(source.parent.type),\n source_parent_id=tostring(source.parent.id),\n source_owned_by_type=tostring(source.owned_by.type),\n source_owned_by_id=tostring(source.owned_by.type),\n source_owned_by_name=tostring(source.owned_by.name),\n source_owned_by_login=tostring(source.owned_by.login),\n created_by_type=tostring(created_by.type),\n created_by_id=tostring(created_by.id),\n created_by_name=tostring(created_by.name),\n created_by_login=tostring(created_by.login),\n source_type=tostring(source.type),\n source_id=tostring(source.id),\n source_name=tostring(source.name),\n source_login=tostring(source.login),\n source_folder_id=tostring(source.folder_id),\n source_folder_name=tostring(source.folder_name),\n source_user_id=tostring(source.user_id),\n source_user_name=tostring(source.user_name),\n accessible_by_type=tostring(accessible_by.type),\n accessible_by_id=tostring(accessible_by.id),\n accessible_by_name=tostring(accessible_by.name),\n accessible_by_login=tostring(accessible_by.login)\n| project-away type, accessible_by, created_by, source \n\n",
"outputStream": "Custom-BoxEventsV2_CL"
}
]
}
}
]
107 changes: 107 additions & 0 deletions Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
"name": "BoxEventsCCPDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"id": "BoxEventsCCPDefinition",
"properties": {
"connectorUiConfig": {
"id": "BoxEventsCCPDefinition",
"title": "Box Events (CCP) (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.",
"graphQueriesTableName": "BoxEventsV2_CL",
"graphQueries": [
{
"metricName": "Events received",
"legend": "Box events received",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "All Box events",
"query": "BoxEvents\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "Box API credentials",
"description": "Box API requires a Box App client ID and client secret to authenticate. [See the documentation to learn more about Client Credentials grant](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)"
},
{
"name": "Box Enterprise ID",
"description": "Box Enterprise ID is required to make the connection. See documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Codeless Connecor Platform (CCP) to connect to the Box REST API to pull logs into Microsoft Sentinel."
},
{
"description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Create Box Custom Application**\n\nSee documentation to [setup client credentials authentication](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)\n"
},
{
"description": "**STEP 2 - Grab Client ID and Client Secret values**\n\nYou might need to setup 2FA to fetch the secret.\n"
},
{
"description": "**STEP 3 - Grab Box Enterprise ID from Box Admin Console**\n\nSee documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)\n"
},
{
"description": "Provide the required values below:\n",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Box Enterprise ID",
"placeholder": "123456",
"type": "text",
"name": "boxEnterpriseId"
}
},
{
"type": "OAuthForm",
"parameters": {
"clientIdLabel": "Client ID",
"clientSecretLabel": "Client Secret",
"connectButtonLabel": "Connect",
"disconnectButtonLabel": "Disconnect"
}
}
],
"title": "Connect to Box to start collecting event logs to Microsoft Sentinel"
}
]
}
}
}
Loading

0 comments on commit 2addf2f

Please sign in to comment.