cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
DataConnectors/alcide_kaudit.json
97lines · modecode
| 1 | { |
| 2 | "id": "Alcide_kAudit", |
| 3 | "title": "Alcide kAudit", |
| 4 | "publisher": "Alcide", |
| 5 | "descriptionMarkdown": "Alcide kAudit connector allows you to automatically export your Kubernetes cluster audit logs into Azure Sentinel in real-time. This enables enhanced visibility and observability into your Kubernetes audit logs, providing robust security and monitoring capabilities for forensics purposes.", |
| 6 | "graphQueries": [ |
| 7 | { |
| 8 | "metricName": "Anomalies and Incidents - All Data", |
| 9 | "legend": "alcide_kaudit_detections_1_CL", |
| 10 | "baseQuery": "alcide_kaudit_detections_1_CL" |
| 11 | } |
| 12 | ], |
| 13 | "sampleQueries": [ |
| 14 | { |
| 15 | "description" : "All detections (anomalies and incidents) entries", |
| 16 | "query": "\nalcide_kaudit_detections_1_CL\n| sort by TimeGenerated\n" |
| 17 | }, |
| 18 | { |
| 19 | "description" : "All audit activity for a Secret resource type, summarized count by resource namespace", |
| 20 | "query": "\nalcide_kaudit_activity_1_CL\n| where resource_type_s == \"secrets\"\n| summarize count() by resource_namespace_s" |
| 21 | }, |
| 22 | { |
| 23 | "description" : "Audit activity, summarized by principal, Type and Caller IP", |
| 24 | "query": "\nalcide_kaudit_selections_details_1_CL\n| summarize count() by principal_s, Type, caller_ip_s" |
| 25 | } |
| 26 | ], |
| 27 | "dataTypes": [ |
| 28 | { |
| 29 | "name": "alcide_kaudit_activity_1_CL", |
| 30 | "lastDataReceivedQuery": "alcide_kaudit_activity_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" |
| 31 | }, |
| 32 | { |
| 33 | "name": "alcide_kaudit_detections_1_CL", |
| 34 | "lastDataReceivedQuery": "alcide_kaudit_detections_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" |
| 35 | }, |
| 36 | { |
| 37 | "name": "alcide_kaudit_selections_count_1_CL", |
| 38 | "lastDataReceivedQuery": "alcide_kaudit_selections_count_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" |
| 39 | }, |
| 40 | { |
| 41 | "name": "alcide_kaudit_selections_details_1_CL", |
| 42 | "lastDataReceivedQuery": "alcide_kaudit_selections_details_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" |
| 43 | } |
| 44 | ], |
| 45 | "connectivityCriterias": [ |
| 46 | { |
| 47 | "type": "IsConnectedQuery", |
| 48 | "value": [ |
| 49 | "alcide_kaudit_activity_1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" |
| 50 | ] |
| 51 | } |
| 52 | ], |
| 53 | "availability": { |
| 54 | "status": 1 |
| 55 | }, |
| 56 | "permissions": { |
| 57 | "resourceProvider": [ |
| 58 | { |
| 59 | "provider": "Microsoft.OperationalInsights/workspaces", |
| 60 | "permissionsDisplayText": "read and write permissions are required.", |
| 61 | "providerDisplayName": "Workspace", |
| 62 | "scope": "Workspace", |
| 63 | "requiredPermissions": { |
| 64 | "write": true, |
| 65 | "read": true, |
| 66 | "delete": true |
| 67 | } |
| 68 | } |
| 69 | ] |
| 70 | }, |
| 71 | "instructionSteps": [ |
| 72 | { |
| 73 | "title": "", |
| 74 | "description": "Follow the step-by-step instructions provided in the [Alcide kAudit Installation Guide](https://get.alcide.io/hubfs/Azure%20Sentinel%20Integration%20with%20kAudit.pdf)", |
| 75 | "instructions": [ |
| 76 | { |
| 77 | "parameters": { |
| 78 | "fillWith": [ |
| 79 | "WorkspaceId" |
| 80 | ], |
| 81 | "label": "Workspace ID" |
| 82 | }, |
| 83 | "type": "CopyableLabel" |
| 84 | }, |
| 85 | { |
| 86 | "parameters": { |
| 87 | "fillWith": [ |
| 88 | "PrimaryKey" |
| 89 | ], |
| 90 | "label": "Primary Key" |
| 91 | }, |
| 92 | "type": "CopyableLabel" |
| 93 | } |
| 94 | ] |
| 95 | } |
| 96 | ] |
| 97 | } |