Google Cloud Platform (GCP) is a comprehensive suite of cloud computing services. Integrating GCP with Azure Sentinel enhances security monitoring and management by centralizing logs and alerts. While the existing GCP Pub/Sub connector ingests only audit logs, a custom data connector can be built using an Azure Resource Manager (ARM) template to ingest a broader range of logs like WAF /Load balancer logs.
Understanding ARM Templates
ARM templates are JSON files that define the resources needed for your applications. They allow for infrastructure as code, making deployment and management more efficient and consistent. By leveraging ARM templates, you can automate the creation and configuration of your Sentinel GCP data connector.
Prerequisites
Before proceeding, ensure you have:
- An active Azure subscription
- Admin access to both your Azure(Microsoft Sentinel Contributor permissions) and GCP accounts.
- Basic knowledge of JSON and ARM templates
- Create a custom table in Azure Sentinel
Creating a Custom Table in Azure Sentinel
For more information about the custom table creation experience, please see the documentation.
To create a custom table in Azure Sentinel:
- Navigate to the Azure Sentinel workspace in the Azure portal.
- Select Tables from the left-hand menu.
- Click on + Create to add a new table.
- Define the table schema according to the log data you plan to ingest. This includes fields such as timestamp, log level, source, and message.
- Save the table and ensure it is available for log ingestion.
Step-by-Step Process
1. Setting Up Pub/Sub in GCP
To start, you need to create a Pub/Sub topic and subscription in GCP:
- Navigate to the GCP console.
- Select Pub/Sub from the menu.
- Create a new topic and name it appropriately, such as `sentinel-logs`.
- Under the topic, create a subscription. This subscription will pull the logs from GCP and push them to Azure Sentinel.
2. Configuring Audit Log Streaming
Next, configure GCP to stream audit logs to your Pub/Subtopic:
- Navigate to the Logging section in the GCP console.
- Select the desired audit logs you wish to export.
- Set the destination as your Pub/Subtopic.
3. Creating the ARM Template
The ARM template will define the resources needed to connect GCP logs to Azure Sentinel.
Use the attached template (in the last section), update the parameters based on the instructions given in the comment section (search word “Modify” to go to relevant parameters that needs to be modified)
This template creates a linked service in Azure Sentinel that connects to the specified GCP Pub/Sub subscription.
4. Deploying the ARM Template
Deploy the ARM template through the Azure portal or using Azure CLI:
- In the Azure portal, navigate to the 'Deploy a custom template' section.
Click on Build your own template in the editor
- Delete existing content
- Paste the ARM template JSON file and fill in the required parameters. Click on save.
- Enter the resource group, workspace name and workspace location details.
- Click 'Review + Create' and then 'Create' to deploy the template.
- Once the template is deployed, you can search for the data connector
Configure the Data connector
- Open the data connector page
- Click on Add new collector and enter the GCP account details then click connect.
Verifying the Connection
Once deployed, verify that logs are being ingested into Azure Sentinel:
- Check the Azure Sentinel workspace for incoming logs.
- Ensure that the logs from the specified GCP audit logs are appearing as expected.
- Troubleshoot any missing logs by reviewing Pub/Sub configurations and subscriptions.
Advanced Configuration
For advanced users, consider customizing the ARM template to ingest other types of logs or incorporate additional GCP services:
- Modify the Pub/Subtopic to include additional log sources.
- Create multiple linked services within the ARM template for different log types.
- Incorporate custom parsing and transformation rules within Azure Sentinel for GCP logs.
Conclusion
Building a custom Sentinel GCP data connector using an ARM template allows for more flexibility and control over the types of logs ingested from GCP. By following this guide, you can ensure that your cloud infrastructure is monitored comprehensively, enhancing your security posture and operational efficiency.
We hope this guide empowers you to leverage the full potential of Azure Sentinel and GCP integration. Should you have any further questions or require assistance, please do not hesitate to reach out.
ARM Template Content.
Copy the below content and paste in a Notepad and Save it as JSON file.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft",
"comments": "Solution template for GCP WAF"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"resourceGroupName": {
"type": "string",
"defaultValue": "[resourceGroup().name]",
"metadata": {
"description": "resource group name where Microsoft Sentinel is setup"
}
},
"subscription": {
"type": "string",
"defaultValue": "[last(split(subscription().id, '/'))]",
"metadata": {
"description": "subscription id where Microsoft Sentinel is setup"
}
}
},
"variables": {
"_solutionName": "GCP WAF and Load Balancer",
"_solutionVersion": "3.0.0",
"solutionId": "azuresentinel.azure-sentinel-solution-id-api",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"dataConnectorCCPVersion": "1.0.0",
"_dataConnectorContentIdConnectorDefinition1": "GCPDefinition",
"dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
"_dataConnectorContentIdConnections1": "GCPTemplateConnections",
"dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
"dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
"blanks": "[replace('b', 'b', '')]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"displayName": "GCP WAF",
"contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "GCPDefinition",
"title": "GCP WAF",
"publisher": "companyname", // Modify to your user/company name
"descriptionMarkdown": "GCP custom connector to ingest WAF and Load Balance logs",
"graphQueriesTableName": "GCPWAFlogs_CL", // Modify to your table name, same as row 58
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP WAF Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors",
"value": null
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"read": false,
"write": false,
"delete": false,
"action": true
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)."
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": [
"TenantId"
],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters": {}
},
{
"type": "GCPContextPane",
"parameters": {}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
"name": "[variables('_solutionName')]",
"kind": "Solution"
},
"author": {
"name": "Microsoft" // Modify to your user/company name
},
"support": {
"name": "Companyname", // Modify to your user/company name
"email": "support@microsoft.com", // Modify to your email
"tier": "Partner",
"link": "http://www.microsoft.com" // Modify to a support link
},
"dependencies": {
"criteria": [
{
"version": "[variables('dataConnectorCCPVersion')]",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"kind": "ResourcesDataConnector"
}
]
}
}
},
{
"name": "GCPWAFDCR1",
"apiVersion": "2022-06-01",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "[parameters('workspace-location')]",
"kind": "[variables('blanks')]",
"properties": {
"dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]",
"streamDeclarations": {
"Custom-GCPWAF": {
"columns": [
{
"name": "insertId",
"type": "string"
},
{
"name": "jsonPayload",
"type": "string"
},
{
"name": "logName",
"type": "string"
},
{
"name": "receiveTimestamp",
"type": "string"
},
{
"name": "resource",
"type": "string"
},
{
"name": "severity",
"type": "string"
},
{
"name": "httpRequest",
"type": "string"
},
{
"name": "spanId",
"type": "string"
},
{
"name": "timestamp",
"type": "string"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-GCPWAF"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source | extend TimeGenerated = now()",
"outputStream": "Custom-GCPWAFlogs_CL"
}
]
}
},
{
"name": "GCPWAFlogs_CL",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"location": "[parameters('workspace-location')]",
"kind": null,
"properties": {
"schema": {
"name": "GCPWAFlogs_CL",
"columns": [
{
"name": "insertId",
"type": "string"
},
{
"name": "jsonPayload",
"type": "string"
},
{
"name": "logName",
"type": "string"
},
{
"name": "receiveTimestamp",
"type": "string"
},
{
"name": "resource",
"type": "string"
},
{
"name": "timestamp",
"type": "string"
},
{
"name": "severity",
"type": "string"
},
{
"name": "httpRequest",
"type": "string"
},
{
"name": "spanId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
}
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"version": "[variables('dataConnectorCCPVersion')]"
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "GCPDefinition",
"title": "GCP WAF",
"publisher": "companyname", // Modify to your user/company name
"descriptionMarkdown": "GCP custom connector to ingest WAF and Load Balance logs",
"graphQueriesTableName": "GCPWAFlogs_CL", // Modify to your table name, same as row 58
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP WAF Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors",
"value": null
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"read": false,
"write": false,
"delete": false,
"action": true
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)."
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": [
"TenantId"
],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters": {}
},
{
"type": "GCPContextPane",
"parameters": {}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
"name": "[variables('_solutionName')]",
"kind": "Solution"
},
"author": {
"name": "Microsoft" // Modify to your user/company name
},
"support": {
"name": "companyname", // Modify to your user/company name
"email": "support@microsoft.com", // Modify to your email
"tier": "Partner",
"link": "http://www.microsoft.com" // Modify to a support link
},
"dependencies": {
"criteria": [
{
"version": "[variables('dataConnectorCCPVersion')]",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"kind": "ResourcesDataConnector"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"displayName": "GCP WAF",
"contentKind": "ResourcesDataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {
"GCPProjectId": {
"type": "String",
"minLength": 4
},
"GCPProjectNumber": {
"type": "String",
"minLength": 1
},
"GCPWorkloadIdentityProviderId": {
"type": "String"
},
"GCPServiceAccountEmail": {
"type": "String",
"minLength": 1
},
"GCPSubscriptionName": {
"type": "String",
"minLength": 3
},
"connectorDefinitionName": {
"defaultValue": "connectorDefinitionName",
"type": "string",
"minLength": 1,
"metadata": {
"description": "connectorDefinitionName"
}
},
"workspace2": {
"defaultValue": "[parameters('workspace')]",
"type": "string"
},
"dcrConfig": {
"type": "object",
"defaultValue": {
"dataCollectionEndpoint": "data collection Endpoint",
"dataCollectionRuleImmutableId": "data collection rule immutableId"
}
},
"guidValue": {
"type": "string",
"defaultValue": "[[newGuid()]"
}
},
"variables": {
"_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"kind": "ResourcesDataConnector",
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
"name": "[variables('_solutionName')]",
"kind": "Solution"
},
"author": {
"name": "Microsoft" // Modify to your user/company name
},
"support": {
"name": "companyname", // Modify to your user/company name
"email": "support@microsoft.com", // Modify to your email
"tier": "Partner",
"link": "http://www.microsoft.com" // Modify to a support link
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'GCPDefinition')]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GCP",
"properties": {
"connectorDefinitionName": "GCPDefinition",
"dataType": "GCPWAFlogs_CL",
"dcrConfig": {
"streamName": "Custom-GCPWAF",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"auth": {
"serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
"projectNumber": "[[parameters('GCPProjectNumber')]",
"workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
},
"request": {
"projectId": "[[parameters('GCPProjectId')]",
"subscriptionNames": [
"[[parameters('GCPSubscriptionName')]"
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"version": "[variables('dataConnectorCCPVersion')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "GCP WAF",
"publisherDisplayName": "GCP WAF",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>GCP custom connector to ingest WAF and Load Balance logs</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "GCP WAF",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft"
},
"support": {
"name": "companyname", // Modify to your user/company name
"email": "support@microsoft.com", // Modify to your email
"tier": "Partner",
"link": "http://www.microsoft.com" // Modify to a support link
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"version": "[variables('dataConnectorCCPVersion')]"
}
]
},
"firstPublishDate": "2023-09-29",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}
Updated Jan 08, 2025
Version 2.0
SantoshPargi
Microsoft
Microsoft
