Microsoft 365 Audit General & DLP Solution v1.0.0

[markolauren]

New solution with two CCF connectors to ingest M365 Audit.General and Audit.DLP events from O365 Management Activity API.

Outscopes some events which are already covered by other Sentinel connectors: Teams, Dynamics, Purview Information Protection.

Required items, please complete

Change(s):

• initial release

Reason for Change(s):

• there was no connectors for m365 general audit or dlp.

Testing Completed:

• yes

Checked that the validations are passing and have addressed any issues that are present:

• i think so.

[markolauren]

@v-shukore please initiate re-validation. there appeared to be BOM (Byte Order Mark) at the start of the file (mainTemplate.json) which likely caused many fails.

[markolauren]

@v-shukore Arm-ttk validation error "#13 9.701 DeploymentTemplate Must Not Contain Hardcoded Uri
#13 9.701 [-] DeploymentTemplate Must Not Contain Hardcoded Uri (59 ms)
#13 9.701 Found hardcoded reference to login.microsoftonline.com Line: 3039,
#13 9.701 Column: 617
#13 9.701 Found hardcoded reference to login.microsoftonline.com Line: 3234,
#13 9.701 Column: 611"
is referring to a two "description" fields which give user a guidance how to deploy the solution properly. so they are not related to the template/json in any way.

[v-maheshbh]

Hi @markolauren

Kindly refer to the solution mentioned below for the correct folder structure and make the necessary updates. The data file and data connector files are missing, and the release notes and solution metadata are not in the proper format
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoMeraki

Thanks!

[markolauren]

@v-maheshbh added needed corrections. i hope we're getting closer :)

[markolauren]

Can we re-validate? now there's missing files and corrections done.

[markolauren]

For Solution validation error: "Error message: Invalid value for the support "tier" field. Supported values are: Microsoft, Partner, Community."

=> this is defined like this:

"_solutionTier": "Community",

"support": {
"tier": "[variables('_solutionTier')]",

[markolauren]

How are we proceeding?

[v-maheshbh]

Hi @markolauren
The CCF folder structure does not adhere to the expected format. Mandatory files such as pollerConfig, DCR, and table files are missing.
Kindly refer to the solution mentioned below for the correct folder structure and update the necessary files.
Please ensure that all files are properly linked.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF

Kindly attach the testing screenshot of the ccf connector in the connected state.

Thanks!

[markolauren]

@v-maheshbh thanks for the feedback. changes are now done. please re-validate and guide me forward :)

here's screenshot of both connectors as "connected" and data coming in:

Audit.General connector

Audit.DLP connector

[v-maheshbh]

Hi @markolauren
The package folder ZIP file is missing. Kindly ensure it is added to the solution.
The logo path in the data file is missing. Kindly refer to an existing solution for the correct structure and update it accordingly.
and create two separate folders for the CCF connector.

Please package the solution version 3.0.0 (Update the same in the release notes.) using the V3 tool. You can follow the steps outlined in the README linked below to complete the packaging:

https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

Thanks!

[markolauren]

@v-maheshbh Done.

• The connectors are now in their own folders, but DCR and Table files are in Data Connectors\ folder directly as both connectors share the same DCR and Table.
• Logo added
• Updated ReleaseNotes to use v3.0.0
• 3.0.0.zip added

[markolauren]

@v-maheshbh Do we have pieces together now?