Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Garrison ULTRA Remote Logs solution #11285

Merged
merged 13 commits into from
Nov 22, 2024
Merged

Conversation

rdekanter
Copy link
Contributor

Change(s):

  • New solution for Garrison ULTRA Remote Logs

Reason for Change(s):

  • New solution

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

@rdekanter rdekanter requested review from a team as code owners October 16, 2024 10:10
@rdekanter
Copy link
Contributor Author

rdekanter commented Oct 16, 2024 via email

@v-atulyadav v-atulyadav added Connector Connector specialty review needed Solution Solution specialty review needed labels Oct 16, 2024
@v-prasadboke v-prasadboke added the New Solution For new Solutions which are new to Microsoft Sentinel label Oct 23, 2024
@v-prasadboke
Copy link
Contributor

Hello @rdekanter,

@theolukensgarrison
Copy link

Hi @v-prasadboke,

Please create a custom table schema at location https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables with name Garrison_ULTRARemoteLogs_CL

We've added this schema now.

Also the Data connector permissions does not match with template
blob/master/DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/DataConnector_API_AzureFunctionApp_template.json
Please go through this template once for permission details

I don't think our connector needs any more permissions than the ones stated as we don't need to create an Azure Function app.

Also please let me know which type of Data connector is this

If this is CCP please go through this readme and CCP connector reference for more clarification
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/CCP_README.md
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2

If this is a Function app

go through this for more understanding

https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoUmbrella/Data%20Connectors

We've been talking to support via email ([email protected]). We told them that we can't use CCP or Azure Function as we don't want the customer's Azure instance to pull data from our service, instead our service needs to push data via the Logs Ingestion API. We want our Sentinel solution to provide a way to deploy all the necessary resources by pushing a single button.

This was their response which we've tried to follow as closely as possible:

Got it, Yes, your understanding about CCP is correct. In this case, the example I have given below will not work. Can you please follow below approach:

Define data connector UI definition, like this (this will go inside solution package)

Data connector UI have an option to "Deploy Function App". On clicking this link, we deploy all the dependencies like table, DCR, DCE in the customer workspace. All of these dependencies have to be defined like this and keep in in GitHub (this will not go inside package, just a link referred dynamically).

@theolukensgarrison
Copy link

Hi @v-prasadboke, we haven't had a response here in a while. Could you please advise on what else we need to do to get this merged? Thanks!

@v-prasadboke
Copy link
Contributor

Hello @rdekanter & @theolukensgarrison can you provide me write access to this branch.
Also please update this branch from master.

Need to check validation failures.
And apologies for the delay in response

@rdekanter
Copy link
Contributor Author

@v-prasadboke - we have updated to the main branch and you have a pending access invite.

@theolukensgarrison
Copy link

Hi @v-prasadboke, just reaching out again. What is there left for us to do here? Thanks!

@v-prasadboke
Copy link
Contributor

Hi @v-prasadboke, just reaching out again. What is there left for us to do here? Thanks!

Hello @theolukensgarrison im checking what permissions are failing or missing

@v-prasadboke
Copy link
Contributor

Hello @rdekanter & @theolukensgarrison, I have some doubts about the connector. We are checking this internally if anyhow we can overcome this failure

@rahul0216 rahul0216 merged commit 3cf1730 into Azure:master Nov 22, 2024
44 of 47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Connector Connector specialty review needed New Solution For new Solutions which are new to Microsoft Sentinel Solution Solution specialty review needed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants