diff --git a/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/GCPVPCFlowLogSetup.tf b/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/GCPVPCFlowLogSetup.tf new file mode 100644 index 00000000000..751712aef6b --- /dev/null +++ b/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/GCPVPCFlowLogSetup.tf @@ -0,0 +1,101 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "3.73.0" + } + } + + required_version = ">= 0.15.0" +} + +data "google_project" "project" { + project_id = "Enter Project Id" +} + +variable "topic-name" { + type = string + default = "sentinel-vpcflow-topic" + description = "Name of existing topic" +} + +variable "organization-id" { + type = string + default = "" + description = "Organization id" +} + +resource "google_project_service" "enable-logging-api" { + service = "logging.googleapis.com" + project = data.google_project.project.project_id +} + +resource "google_pubsub_topic" "sentinel-vpcflow-topic" { + count = "${var.topic-name != "sentinel-vpcflow-topic" ? 0 : 1}" + name = var.topic-name + project = data.google_project.project.project_id +} + +resource "google_pubsub_subscription" "sentinel-subscription" { + project = data.google_project.project.project_id + name = "sentinel-subscription-vpcflowlogs" + topic = var.topic-name + depends_on = [google_pubsub_topic.sentinel-vpcflow-topic] +} + +resource "google_logging_project_sink" "sentinel-sink" { + project = data.google_project.project.project_id + count = var.organization-id == "" ? 1 : 0 + name = "vpcflow-logs-sentinel-sink" + destination = "pubsub.googleapis.com/projects/${data.google_project.project.project_id}/topics/${var.topic-name}" + depends_on = [google_pubsub_topic.sentinel-vpcflow-topic] + + filter = "resource.type=\"gce_subnetwork\" AND log_id(\"compute.googleapis.com/vpc_flows\")" + unique_writer_identity = true +} + +resource "google_logging_organization_sink" "sentinel-organization-sink" { + count = var.organization-id == "" ? 0 : 1 + name = "vpcflow-logs-organization-sentinel-sink" + org_id = var.organization-id + destination = "pubsub.googleapis.com/projects/${data.google_project.project.project_id}/topics/${var.topic-name}" + + filter = "resource.type=\"gce_subnetwork\" AND log_id(\"compute.googleapis.com/vpc_flows\")" + include_children = true +} + +resource "google_project_iam_binding" "log-writer" { + count = var.organization-id == "" ? 1 : 0 + project = data.google_project.project.project_id + role = "roles/pubsub.publisher" + + members = [ + google_logging_project_sink.sentinel-sink[0].writer_identity + ] +} + +resource "google_project_iam_binding" "log-writer-organization" { + count = var.organization-id == "" ? 0 : 1 + project = data.google_project.project.project_id + role = "roles/pubsub.publisher" + + members = [ + google_logging_organization_sink.sentinel-organization-sink[0].writer_identity + ] +} + +output "Next_step"{ + value = "Please copy the following values to Sentinel while adding new collector" +} + +output "GCP_project_id" { + value = data.google_project.project.project_id +} + +output "GCP_project_number" { + value = data.google_project.project.number +} + +output "GCP_subscription_name" { + value = google_pubsub_subscription.sentinel-subscription.name +} \ No newline at end of file diff --git a/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md b/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md new file mode 100644 index 00000000000..cd48a0cba36 --- /dev/null +++ b/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md @@ -0,0 +1,36 @@ +# GCP VPC Flow Logs Data Connector Configuration Guide + +For ingesting data into Microsoft Sentinel , We need few of the resources created/ready on google console , Which will be done with the help of terraform script. + +### List of Resources required + +* Topic +* Subscription for the topic +* Workload identity pool +* Workload identity provider +* Service account with permissions to get and consume from subscription. + +### Configurations steps +1. Select the project from where the VPC Flow logs has to be collected +2. Open the cloud shell , by clicking activate cloud shell button on the top right + + ![image](https://github.com/user-attachments/assets/1666158e-8295-4c2f-a8c7-16ede37b8fb1) + +4. Open the Terraform script [GCPVPCFlowLogSetup](https://github.com/manishkumar1991/MonitorYourInfraHealth/blob/main/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/GCPVPCFlowLogSetup.tf) and copy its contents +5. Create a directory in your Cloud Shell environment, enter it, and create a new blank file. + mkdir {directory-name} && cd {directory-name} && touch initauth.tf +6. Open initauth.tf in the Cloud Shell editor and paste the contents of the script file into it. +7. Once you pasted the content of terraform script , do remember to change the project id inside terrform script at line number 13 and then save it + + ![image](https://github.com/user-attachments/assets/e77ec777-ebad-4d6e-ba20-600a264c8967) + +8. Initialize Terraform in the directory you created by typing the following command in the terminal + + _terraform init_ + +10. When you receive the confirmation message that Terraform was initialized, run the script by typing the following command in the terminal + + _terraform apply_ + +12. When asked if you want to create the resources listed, type yes +13. When the output from the script is displayed, save the resources parameters for later use. \ No newline at end of file diff --git a/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_ConnectorDefinition.json b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_ConnectorDefinition.json new file mode 100644 index 00000000000..9fca679104c --- /dev/null +++ b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_ConnectorDefinition.json @@ -0,0 +1,104 @@ +{ + "name": "GCPVPCFlowLogsCCPDefinition", + "apiVersion": "2024-09-01", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "GCPVPCFlowLogsCCPDefinition", + "title": "GCP Pub/Sub VPC Flow Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The Google Cloud Platform (GCP) VPC Flow Logs enable you to capture network traffic activity at the VPC level, allowing you to monitor access patterns, analyze network performance, and detect potential threats across GCP resources.", + "graphQueriesTableName": "GCPVPCFlowLogsV2_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GCP Pub/Sub VPC Flow Logs", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of GCP VPC Flow Logs", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription. \n To configure this data connector, execute the following Terraform scripts:\n 1. Setup Required Resources: [Configuration Guide](https://github.com/manishkumar1991/MonitorYourInfraHealth/blob/main/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md)\n 2. Setup Authentication: [Authentication tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). Note: If Authentication is already setup using another GCP data connector , kindly skip this step and use the existing service account and workload identity pool.", + "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription. \n To configure this data connector, execute the following Terraform scripts:\n 1. Setup Required Resources: [Configuration Guide](https://github.com/manishkumar1991/MonitorYourInfraHealth/blob/main/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md)\n 2. Setup Authentication: [Authentication tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). Note: If Authentication is already setup using another GCP data connector , kindly skip this step and use the existing service account and workload identity pool." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "TenantId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Enable VPC Flow Logs \nIn your GCP account, navigate to the VPC network section. Select the subnet you want to monitor and enable Flow Logs under the Logging section.\n\nFor more information: [Google Cloud Documentation](https://cloud.google.com/vpc/docs/using-flow-logs)" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 3. Connect new collectors \n To enable GCP VPC Flow Logs for Microsoft Sentinel, click the Add new collector button, fill in the required information in the context pane, and click Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_DCR.json b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_DCR.json new file mode 100644 index 00000000000..199b7bb8f3e --- /dev/null +++ b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_DCR.json @@ -0,0 +1,61 @@ +[ + { + "name": "GCPFlowDCR", + "apiVersion": "2023-03-11", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "streamDeclarations": { + "Custom-GCPFlowLogs": { + "columns": [ + { + "name": "insertId", + "type": "string" + }, + { + "name": "logName", + "type": "string" + }, + { + "name": "jsonPayload", + "type": "dynamic" + }, + { + "name": "receiveTimestamp", + "type": "datetime" + }, + { + "name": "resource", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-GCPFlowLogs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source |extend TimeGenerated = timestamp, InsertId = tostring(insertId), BytesSent = tostring(jsonPayload['bytes_sent']), PacketsSent = tostring(jsonPayload['packets_sent']), Reporter = tostring(jsonPayload['reporter']), Rttmsec = tostring(jsonPayload['rtt_msec']), StartTime = todatetime(jsonPayload['start_time']), EndTime = todatetime(jsonPayload['end_time']), LogName = tostring(logName), ReceiveTimestamp = todatetime(receiveTimestamp), Timestamp = todatetime(timestamp), Location = tostring(resource.labels['location']), ProjectId = tostring(resource.labels['project_id']), SubnetworkId = tostring(resource.labels['subnetwork_id']), SubnetworkName = tostring(resource.labels['subnetwork_name']), ResourceType = tostring(resource['type']), DestIp = tostring(jsonPayload.connection['dest_ip']), DestPort = tostring(jsonPayload.connection['dest_port']), Protocol = tostring(jsonPayload.connection['protocol']), SrcIp = tostring(jsonPayload.connection['src_ip']), SrcPort = tostring(jsonPayload.connection['src_port']), DestInstanceProjectId = tostring(jsonPayload.dest_instance['project_id']), DestInstanceRegion = tostring(jsonPayload.dest_instance['region']), DestInstanceVmName = tostring(jsonPayload.dest_instance['vm_name']), DestInstanceZone = tostring(jsonPayload.dest_instance['zone']), DestInstanceGroupName = tostring(jsonPayload.dest_instance.managed_instance_group['name']), DestInstanceGroupZone = tostring(jsonPayload.dest_instance.managed_instance_group['zone']), DestInstanceGroupRegion = tostring(jsonPayload.dest_instance.managed_instance_group['region']), DestVpcProjectId = tostring(jsonPayload.dest_vpc['project_id']), DestVpcSubnetworkName = tostring(jsonPayload.dest_vpc['subnetwork_name']), DestVpcSubnetworkRegion = tostring(jsonPayload.dest_vpc['subnetwork_region']), DestVpcName = tostring(jsonPayload.dest_vpc['vpc_name']), NetworkServiceDscp = tostring(jsonPayload.network_service['dscp']), SrcInstanceProjectId = tostring(jsonPayload.src_instance['project_id']), SrcInstanceRegion = tostring(jsonPayload.src_instance['region']), SrcInstanceVmName = tostring(jsonPayload.src_instance['vm_name']), SrcInstanceZone = tostring(jsonPayload.src_instance['zone']), SrcInstanceGroupName = tostring(jsonPayload.src_instance.managed_instance_group['name']), SrcInstanceGroupZone = tostring(jsonPayload.src_instance.managed_instance_group['zone']), SrcInstanceGroupRegion = tostring(jsonPayload.src_instance.managed_instance_group['region']), SrcVpcProjectId = tostring(jsonPayload.src_vpc['project_id']), SrcVpcSubnetworkName = tostring(jsonPayload.src_vpc['subnetwork_name']), SrcVpcSubnetworkRegion = tostring(jsonPayload.src_vpc['subnetwork_region']), SrcVpcName = tostring(jsonPayload.src_vpc['vpc_name']), DestGoogleServiceType = tostring(jsonPayload.dest_google_service['type']), SrcGoogleServiceType = tostring(jsonPayload.src_google_service['type']), DestLocationAsn = tostring(jsonPayload.dest_location['asn']), DestLocationContinent = tostring(jsonPayload.dest_location['continent']), DestLocationCity = tostring(jsonPayload.dest_location['city']), DestLocationCountry = tostring(jsonPayload.dest_location['country']), DestLocationRegion = tostring(jsonPayload.dest_location['region']), SrcLocationAsn = tostring(jsonPayload.src_location['asn']), SrcLocationContinent = tostring(jsonPayload.src_location['continent']), SrcLocationCountry = tostring(jsonPayload.src_location['country']), SrcLocationCity = tostring(jsonPayload.src_location['city']), SrcLocationRegion = tostring(jsonPayload.src_location['region']), InternetRoutingDetailsEgressAsn = tostring(jsonPayload.internet_routing_details.egress_as_path[0].as_details[0].asn), LbBackendGroupName = tostring(jsonPayload.load_balancing['backend_group_name']), LbBackendGroupType = tostring(jsonPayload.load_balancing['backend_group_type']), LbForwardingRuleName = tostring(jsonPayload.load_balancing['forwarding_rule_name']), LbForwardingRuleProjectId = tostring(jsonPayload.load_balancing['forwarding_rule_project_id']), LbReporter = tostring(jsonPayload.load_balancing['reporter']), LbScheme = tostring(jsonPayload.load_balancing['scheme']), LbUrlMapName = tostring(jsonPayload.load_balancing['url_map_name']), LbBackendServiceName = tostring(jsonPayload.load_balancing['backend_service_name']), LbType = tostring(jsonPayload.load_balancing['type']), LbBackendGroupLocation = tostring(jsonPayload.load_balancing['backend_group_location']), LbVpc = todynamic(jsonPayload.load_balancing['vpc']), SrcGkeClusterLocation = tostring(jsonPayload.src_gke_details.cluster['cluster_location']), SrcGkeClusterName = tostring(jsonPayload.src_gke_details.cluster['cluster_name']), SrcGkeService = todynamic(jsonPayload.src_gke_details.service), SrcGkePodName = tostring(jsonPayload.src_gke_details.pod['pod_name']), SrcGkePodNamespace = tostring(jsonPayload.src_gke_details.pod['pod_namespace']), SrcGkePodWorkloadName = tostring(jsonPayload.src_gke_details.pod.workload['name']), SrcGkePodWorkloadType = tostring(jsonPayload.src_gke_details.pod.workload['type']), DestGkeClusterLocation = tostring(jsonPayload.dest_gke_details.cluster['cluster_location']), DestGkeClusterName = tostring(jsonPayload.dest_gke_details.cluster['cluster_name']), DestGkeService = todynamic(jsonPayload.dest_gke_details.service), DestGkePodName = tostring(jsonPayload.dest_gke_details.pod['pod_name']), DestGkePodNamespace = tostring(jsonPayload.dest_gke_details.pod['pod_namespace']), DestGkePodWorkloadName = tostring(jsonPayload.dest_gke_details.pod.workload['name']), DestGkePodWorkloadType = tostring(jsonPayload.dest_gke_details.pod.workload['type']), PscAttachmentProjectId = tostring(jsonPayload.psc.psc_attachment['project_id']), PscAttachmentRegion = tostring(jsonPayload.psc.psc_attachment['region']), PscAttachmentVpc = todynamic(jsonPayload.psc.psc_attachment['vpc']), PscEndpointProjectId = tostring(jsonPayload.psc.psc_endpoint['project_id']), PscEndpointConnectionId = tostring(jsonPayload.psc.psc_endpoint['psc_connection_id']), PscEndpointRegion = tostring(jsonPayload.psc.psc_endpoint['region']), PscEndpointTargetServiceType = tostring(jsonPayload.psc.psc_endpoint['target_service_type']), PscEndpointVpc = todynamic(jsonPayload.psc.psc_endpoint['vpc']), SrcGatewayProjectId = tostring(jsonPayload.src_gateway['project_id']), SrcGatewayLocation = tostring(jsonPayload.src_gateway['location']), SrcGatewayName = tostring(jsonPayload.src_gateway['name']), SrcGatewayType = tostring(jsonPayload.src_gateway['type']), SrcGatewayVpc = todynamic(jsonPayload.src_gateway['vpc']), SrcGatewayInterconnectName = tostring(jsonPayload.src_gateway['interconnect_name']), SrcGatewayInterconnectProjectNumber = tostring(jsonPayload.src_gateway['interconnect_project_number']), DestGatewayProjectId = tostring(jsonPayload.dest_gateway['project_id']), DestGatewayLocation = tostring(jsonPayload.dest_gateway['location']), DestGatewayName = tostring(jsonPayload.dest_gateway['name']), DestGatewayType = tostring(jsonPayload.dest_gateway['type']), DestGatewayVpc = todynamic(jsonPayload.dest_gateway['vpc']), DestGatewayInterconnectName = tostring(jsonPayload.dest_gateway['interconnect_name']), DestGatewayInterconnectProjectNumber = tostring(jsonPayload.dest_gateway['interconnect_project_number'])|project-away jsonPayload,resource", + "outputStream": "Custom-GCPVPCFlowLogsV2_CL" + } + ] + } + } +] diff --git a/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_PollingConfig.json b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_PollingConfig.json new file mode 100644 index 00000000000..70dfc1252d4 --- /dev/null +++ b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_PollingConfig.json @@ -0,0 +1,29 @@ +[ + { + "name": "GCPFlowLogs", + "apiVersion": "2024-09-01", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GCP", + "location": "{{location}}", + "properties": { + "connectorDefinitionName": "GCPVPCFlowLogsCCPDefinition", + "dataType": "GCPVPCFlowLogsV2_CL", + "dcrConfig": { + "streamName": "Custom-GCPFlowLogs", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "auth": { + "serviceAccountEmail": "{{GCPServiceAccountEmail}}", + "projectNumber": "{{GCPProjectNumber}}", + "workloadIdentityProviderId": "{{GCPWorkloadIdentityProviderId}}" + }, + "request": { + "projectId": "{{GCPProjectId}}", + "subscriptionNames": [ + "{{GCPSubscriptionName}}" + ] + } + } + } +] \ No newline at end of file diff --git a/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_Table.json b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_Table.json new file mode 100644 index 00000000000..1738b98ebeb --- /dev/null +++ b/Solutions/Google Cloud Platform VPC Flow Logs/Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_Table.json @@ -0,0 +1,117 @@ +{ + "name": "GCPVPCFlowLogsV2_CL", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "properties": { + "schema": { + "name": "GCPVPCFlowLogsV2_CL", + "columns": [ + { "name": "TimeGenerated", "type": "datetime" }, + { "name": "InsertId", "type": "string" }, + { "name": "BytesSent", "type": "string" }, + { "name": "PacketsSent", "type": "string" }, + { "name": "Reporter", "type": "string" }, + { "name": "Rttmsec", "type": "string" }, + { "name": "StartTime", "type": "datetime" }, + { "name": "EndTime", "type": "datetime" }, + { "name": "LogName", "type": "string" }, + { "name": "ReceiveTimestamp", "type": "datetime" }, + { "name": "Timestamp", "type": "datetime" }, + { "name": "Location", "type": "string" }, + { "name": "ProjectId", "type": "string" }, + { "name": "SubnetworkId", "type": "string" }, + { "name": "SubnetworkName", "type": "string" }, + { "name": "ResourceType", "type": "string" }, + { "name": "DestIp", "type": "string" }, + { "name": "DestPort", "type": "string" }, + { "name": "Protocol", "type": "string" }, + { "name": "SrcIp", "type": "string" }, + { "name": "SrcPort", "type": "string" }, + { "name": "DestInstanceProjectId", "type": "string" }, + { "name": "DestInstanceRegion", "type": "string" }, + { "name": "DestInstanceVmName", "type": "string" }, + { "name": "DestInstanceZone", "type": "string" }, + { "name": "DestInstanceGroupName", "type": "string" }, + { "name": "DestInstanceGroupZone", "type": "string" }, + { "name": "DestInstanceGroupRegion", "type": "string" }, + { "name": "DestVpcProjectId", "type": "string" }, + { "name": "DestVpcSubnetworkName", "type": "string" }, + { "name": "DestVpcSubnetworkRegion", "type": "string" }, + { "name": "DestVpcName", "type": "string" }, + { "name": "NetworkServiceDscp", "type": "string" }, + { "name": "SrcInstanceProjectId", "type": "string" }, + { "name": "SrcInstanceRegion", "type": "string" }, + { "name": "SrcInstanceVmName", "type": "string" }, + { "name": "SrcInstanceZone", "type": "string" }, + { "name": "SrcInstanceGroupName", "type": "string" }, + { "name": "SrcInstanceGroupZone", "type": "string" }, + { "name": "SrcInstanceGroupRegion", "type": "string" }, + { "name": "SrcVpcProjectId", "type": "string" }, + { "name": "SrcVpcSubnetworkName", "type": "string" }, + { "name": "SrcVpcSubnetworkRegion", "type": "string" }, + { "name": "SrcVpcName", "type": "string" }, + { "name": "DestGoogleServiceType", "type": "string" }, + { "name": "SrcGoogleServiceType", "type": "string" }, + { "name": "DestLocationAsn", "type": "string" }, + { "name": "DestLocationContinent", "type": "string" }, + { "name": "DestLocationCity", "type": "string" }, + { "name": "DestLocationCountry", "type": "string" }, + { "name": "DestLocationRegion", "type": "string" }, + { "name": "SrcLocationAsn", "type": "string" }, + { "name": "SrcLocationContinent", "type": "string" }, + { "name": "SrcLocationCountry", "type": "string" }, + { "name": "SrcLocationCity", "type": "string" }, + { "name": "SrcLocationRegion", "type": "string" }, + { "name": "InternetRoutingDetailsEgressAsn", "type": "string" }, + { "name": "LbBackendGroupName", "type": "string" }, + { "name": "LbBackendGroupType", "type": "string" }, + { "name": "LbForwardingRuleName", "type": "string" }, + { "name": "LbForwardingRuleProjectId", "type": "string" }, + { "name": "LbReporter", "type": "string" }, + { "name": "LbScheme", "type": "string" }, + { "name": "LbUrlMapName", "type": "string" }, + { "name": "LbBackendServiceName", "type": "string" }, + { "name": "LbType", "type": "string" }, + { "name": "LbBackendGroupLocation", "type": "string" }, + { "name": "LbVpc", "type": "dynamic" }, + { "name": "SrcGkeClusterLocation", "type": "string" }, + { "name": "SrcGkeClusterName", "type": "string" }, + { "name": "SrcGkeService", "type": "dynamic" }, + { "name": "SrcGkePodName", "type": "string" }, + { "name": "SrcGkePodNamespace", "type": "string" }, + { "name": "SrcGkePodWorkloadName", "type": "string" }, + { "name": "SrcGkePodWorkloadType", "type": "string" }, + { "name": "DestGkeClusterLocation", "type": "string" }, + { "name": "DestGkeClusterName", "type": "string" }, + { "name": "DestGkeService", "type": "dynamic" }, + { "name": "DestGkePodName", "type": "string" }, + { "name": "DestGkePodNamespace", "type": "string" }, + { "name": "DestGkePodWorkloadName", "type": "string" }, + { "name": "DestGkePodWorkloadType", "type": "string" }, + { "name": "PscAttachmentProjectId", "type": "string" }, + { "name": "PscAttachmentRegion", "type": "string" }, + { "name": "PscAttachmentVpc", "type": "dynamic" }, + { "name": "PscEndpointProjectId", "type": "string" }, + { "name": "PscEndpointConnectionId", "type": "string" }, + { "name": "PscEndpointRegion", "type": "string" }, + { "name": "PscEndpointTargetServiceType", "type": "string" }, + { "name": "PscEndpointVpc", "type": "dynamic" }, + { "name": "SrcGatewayProjectId", "type": "string" }, + { "name": "SrcGatewayLocation", "type": "string" }, + { "name": "SrcGatewayName", "type": "string" }, + { "name": "SrcGatewayType", "type": "string" }, + { "name": "SrcGatewayVpc", "type": "dynamic" }, + { "name": "SrcGatewayInterconnectName", "type": "string" }, + { "name": "SrcGatewayInterconnectProjectNumber", "type": "string" }, + { "name": "DestGatewayProjectId", "type": "string" }, + { "name": "DestGatewayLocation", "type": "string" }, + { "name": "DestGatewayName", "type": "string" }, + { "name": "DestGatewayType", "type": "string" }, + { "name": "DestGatewayVpc", "type": "dynamic" }, + { "name": "DestGatewayInterconnectName", "type": "string" }, + { "name": "DestGatewayInterconnectProjectNumber", "type": "string" } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform VPC Flow Logs/Data/Solution_GoogleVPCFlowLogs.json b/Solutions/Google Cloud Platform VPC Flow Logs/Data/Solution_GoogleVPCFlowLogs.json new file mode 100644 index 00000000000..063d2732464 --- /dev/null +++ b/Solutions/Google Cloud Platform VPC Flow Logs/Data/Solution_GoogleVPCFlowLogs.json @@ -0,0 +1,14 @@ +{ + "Name": "Google Cloud Platform VPC Flow Logs", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The Google Cloud Platform (GCP) VPC Flow Logs enable you to capture network traffic activity at the VPC level, allowing you to monitor access patterns, analyze network performance, and detect potential threats across GCP resources.", + "Data Connectors": [ + "Data Connectors/GCPVPCFlowLogs_ccp/GCPVPC_ConnectorDefinition.json" + ], + "BasePath": "C:\\One\\Azure-Sentinel\\Solutions\\Google Cloud Platform VPC Flow Logs", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform VPC Flow Logs/SolutionMetadata.json b/Solutions/Google Cloud Platform VPC Flow Logs/SolutionMetadata.json new file mode 100644 index 00000000000..efb45dfe2ab --- /dev/null +++ b/Solutions/Google Cloud Platform VPC Flow Logs/SolutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-gcpvpcflowlogs-api", + "firstPublishDate": "2025-02-12", + "providers": [ + "Google" + ], + "categories": { + "domains": [ + "DevOps", + "Security - Network" + ] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file