forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCyberpionSecurityLogs.json
93 lines (93 loc) · 3.31 KB
/
CyberpionSecurityLogs.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
{
"id": "CyberpionSecurityLogs",
"title": "Cyberpion Security Logs",
"publisher": "Cyberpion",
"descriptionMarkdown": "The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "CyberpionActionItems_CL",
"baseQuery": "CyberpionActionItems_CL"
}
],
"sampleQueries": [
{
"description": "Fetch latest Action Items that are currently open",
"query": "let lookbackTime = 14d;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL \n | where TimeGenerated > ago(lookbackTime)\n | summarize max(bin(TimeGenerated, 1h))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\n | where bin(TimeGenerated, 1h) == maxTimeGeneratedBucket\n "
}
],
"dataTypes": [
{
"name": "CyberpionActionItems_CL",
"lastDataReceivedQuery": "CyberpionActionItems_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CyberpionActionItems_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Cyberpion Subscription",
"description": "a subscription and account is required for cyberpion logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)"
}
]
},
"instructionSteps": [
{
"title": "",
"description": "Follow the [instructions](https://www.cyberpion.com/resource-center/integrations/azure-sentinel/) to integrate Cyberpion Security Alerts into Sentinel.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}