-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1e46a82
commit 575b464
Showing
1 changed file
with
168 additions
and
0 deletions.
There are no files selected for viewing
168 changes: 168 additions & 0 deletions
168
Solutions/SecurityBridge App/Data Connectors/Connector_SecurityBridge.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,168 @@ | ||
| { | ||
| "id": "SecurityBridgeSAP", | ||
| "title": "[Deprecated] SecurityBridge Threat Detection for SAP", | ||
| "publisher": "SecurityBridge", | ||
| "descriptionMarkdown": "SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.", | ||
| "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", | ||
| "graphQueries": [ | ||
| { | ||
| "metricName": "Total data received", | ||
| "legend": "SecurityBridgeLogs", | ||
| "baseQuery": "SecurityBridgeLogs_CL" | ||
| } | ||
| ], | ||
| "sampleQueries": [ | ||
| { | ||
| "description": "Top 10 Event Names", | ||
| "query": "SecurityBridgeLogs_CL \n| extend Name = tostring(split(RawData, '|')[5]) \n| summarize count() by Name | top 10 by count_" | ||
| } | ||
| ], | ||
| "dataTypes": [ | ||
| { | ||
| "name": "SecurityBridgeLogs_CL", | ||
| "lastDataReceivedQuery": "SecurityBridgeLogs_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| } | ||
| ], | ||
| "connectivityCriterias": [ | ||
| { | ||
| "type": "IsConnectedQuery", | ||
| "value": [ | ||
| "SecurityBridgeLogs_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(2d)" | ||
| ] | ||
| } | ||
| ], | ||
| "availability": { | ||
| "status": 1, | ||
| "isPreview": false | ||
| }, | ||
| "permissions": { | ||
| "resourceProvider": [ | ||
| { | ||
| "provider": "Microsoft.OperationalInsights/workspaces", | ||
| "permissionsDisplayText": "read and write permissions are required.", | ||
| "providerDisplayName": "Workspace", | ||
| "scope": "Workspace", | ||
| "requiredPermissions": { | ||
| "read": true, | ||
| "write": true, | ||
| "delete": true | ||
| } | ||
| }, | ||
| { | ||
| "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", | ||
| "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", | ||
| "providerDisplayName": "Keys", | ||
| "scope": "Workspace", | ||
| "requiredPermissions": { | ||
| "action": true | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| "instructionSteps": [ | ||
| { | ||
| "title": "", | ||
| "description": "*NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SecurityBridgeLogs and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge%20App/Parsers/SecurityBridgeLogs.txt).The function usually takes 10-15 minutes to activate after solution installation/update.", | ||
| "instructions": [] | ||
| }, | ||
| { | ||
| "title": "", | ||
| "description": ">**NOTE:** This data connector has been developed using SecurityBridge Application Platform 7.4.0.", | ||
| "instructions": [] | ||
| }, | ||
| { | ||
| "title": "1. Install and onboard the agent for Linux or Windows", | ||
| "description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Microsoft Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n", | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "title": "Choose where to install the Linux agent:", | ||
| "instructionSteps": [ | ||
| { | ||
| "title": "Install agent on Azure Linux Virtual Machine", | ||
| "description": "Select the machine to install the agent on and then click **Connect**.", | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "linkType": "InstallAgentOnLinuxVirtualMachine" | ||
| }, | ||
| "type": "InstallAgent" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "Install agent on a non-Azure Linux Machine", | ||
| "description": "Download the agent on the relevant machine and follow the instructions.", | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "linkType": "InstallAgentOnLinuxNonAzure" | ||
| }, | ||
| "type": "InstallAgent" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "type": "InstructionStepsGroup" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "title": "Choose where to install the Windows agent:", | ||
| "instructionSteps": [ | ||
| { | ||
| "title": "Install agent on Azure Windows Virtual Machine", | ||
| "description": "Select the machine to install the agent on and then click **Connect**.", | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "linkType": "InstallAgentOnVirtualMachine" | ||
| }, | ||
| "type": "InstallAgent" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "Install agent on a non-Azure Windows Machine", | ||
| "description": "Download the agent on the relevant machine and follow the instructions.", | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "linkType": "InstallAgentOnNonAzure" | ||
| }, | ||
| "type": "InstallAgent" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "type": "InstructionStepsGroup" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "2. Configure the logs to be collected", | ||
| "description": "Configure the custom log directory to be collected", | ||
| "instructions": [ | ||
| { | ||
| "parameters": { | ||
| "linkType": "OpenCustomLogsSettings" | ||
| }, | ||
| "type": "InstallAgent" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "description": "1. Select the link above to open your workspace advanced settings \n2. Click **+Add custom**\n3. Click **Browse** to upload a sample of a SecurityBridge SAP log file (e.g. AED_20211129164544.cef). Then, click **Next >**\n4. Select **New Line** as the record delimiter then click **Next >**\n5. Select **Windows** or **Linux** and enter the path to SecurityBridge logs based on your configuration. Example:\n - '/usr/sap/tmp/sb_events/*.cef' \n\n>**NOTE:** You can add as many paths as you want in the configuration.\n\n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **SecurityBridgeLogs** as the custom log Name and click **Done**" | ||
| }, | ||
| { | ||
| "title": "3. Check logs in Microsoft Sentinel", | ||
| "description": "Open Log Analytics to check if the logs are received using the SecurityBridgeLogs_CL Custom log table.\n\n>**NOTE:** It may take up to 30 minutes before new logs will appear in SecurityBridgeLogs_CL table.", | ||
| "instructions": [] | ||
| } | ||
| ] | ||
| } |