1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
# coding=utf-8
# --------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See License.txt in the project root for license information.
# Code generated by Microsoft (R) AutoRest Code Generator.
# Changes may cause incorrect behavior and will be lost if the code is regenerated.
# --------------------------------------------------------------------------
from azure.identity import DefaultAzureCredential
from azure.mgmt.securityinsight import SecurityInsights
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-securityinsight
# USAGE
python create_api_polling.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = SecurityInsights(
credential=DefaultAzureCredential(),
subscription_id="d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
)
response = client.data_connectors.create_or_update(
resource_group_name="myRg",
workspace_name="myWorkspace",
data_connector_id="316ec55e-7138-4d63-ab18-90c8a60fd1c8",
data_connector={
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
"availability": {"isPreview": True, "status": 1},
"connectivityCriteria": [{"type": "SentinelKindsV2", "value": []}],
"dataTypes": [
{
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)",
"name": "{{graphQueriesTableName}}",
}
],
"descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.",
"graphQueries": [
{
"baseQuery": "{{graphQueriesTableName}}",
"legend": "GitHub audit log events",
"metricName": "Total events received",
}
],
"graphQueriesTableName": "GitHubAuditLogPolling_CL",
"instructionSteps": [
{
"description": "Enable GitHub audit Logs. \n Follow `this <https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token>`_ to create or find your personal key",
"instructions": [
{
"parameters": {
"enable": "true",
"userRequestPlaceHoldersInput": [
{
"displayText": "Organization Name",
"placeHolderName": "{{placeHolder1}}",
"placeHolderValue": "",
"requestObjectKey": "apiEndpoint",
}
],
},
"type": "APIKey",
}
],
"title": "Connect GitHub Enterprise Audit Log to Azure Sentinel",
}
],
"permissions": {
"customs": [
{
"description": "You need access to GitHub personal token, the key should have 'admin:org' scope",
"name": "GitHub API personal token Key",
}
],
"resourceProvider": [
{
"permissionsDisplayText": "read and write permissions are required.",
"provider": "Microsoft.OperationalInsights/workspaces",
"providerDisplayName": "Workspace",
"requiredPermissions": {"delete": True, "read": True, "write": True},
"scope": "Workspace",
}
],
},
"publisher": "GitHub",
"sampleQueries": [
{"description": "All logs", "query": "{{graphQueriesTableName}}\n | take 10 <change>"}
],
"title": "GitHub Enterprise Audit Log",
},
"pollingConfig": {
"auth": {"apiKeyIdentifier": "token", "apiKeyName": "Authorization", "authType": "APIKey"},
"paging": {"pageSizeParaName": "per_page", "pagingType": "LinkHeader"},
"request": {
"apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log",
"headers": {"Accept": "application/json", "User-Agent": "Scuba"},
"httpMethod": "Get",
"queryParameters": {"phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}"},
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"queryWindowInMin": 15,
"rateLimitQps": 50,
"retryCount": 2,
"timeoutInSeconds": 60,
},
"response": {"eventsJsonPaths": ["$"]},
},
},
},
)
print(response)
# x-ms-original-file: specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/dataConnectors/CreateAPIPolling.json
if __name__ == "__main__":
main()
|
