{ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", "handler": "Microsoft.Azure.CreateUIDef", "version": "0.1.2-preview", "parameters": { "config": { "isWizard": false, "basics": { "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SailPointIdentityNow/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SailPoint Integration](https://www.sailpoint.com/) solution provides the capability to ingest SailPoint IdentityNow search events into Microsoft Sentinel through the REST API. The solution includes two data connectors: a legacy Azure Function-based connector and a Codeless Connector Framework (CCF) based connector. \n\n ** Underlying Microsoft Technologies used: ** \n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) *(used by the Azure Function-based connector)* \n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview) *(used by the Azure Function-based connector)* \n\n c. [Microsoft Sentinel Codeless Connector Framework](https://learn.microsoft.com/azure/sentinel/create-codeless-connector) *(used by the CCF-based connector)*\n\n**Data Connectors:** 2, **Parsers:** 1, **Analytic Rules:** 6, **Custom Azure Logic Apps Connectors:** 1, \n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", "Microsoft.OperationalInsights/workspaces/providers/alertRules", "Microsoft.Insights/workbooks", "Microsoft.Logic/workflows" ] }, "location": { "metadata": { "hidden": "Hiding location, we get it from the log analytics workspace" }, "visible": false }, "resourceGroup": { "allowExisting": true } } }, "basics": [ { "name": "getLAWorkspace", "type": "Microsoft.Solutions.ArmApiControl", "toolTip": "This filters by workspaces that exist in the Resource Group selected", "condition": "[greater(length(resourceGroup().name),0)]", "request": { "method": "GET", "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" } }, { "name": "workspace", "type": "Microsoft.Common.DropDown", "label": "Workspace", "placeholder": "Select a workspace", "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", "constraints": { "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", "required": true }, "visible": true } ], "steps": [ { "name": "dataconnectors", "label": "Data Connectors", "bladeTitle": "Data Connectors", "elements": [ { "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "This Solution installs the data connector for SailPointIdentityNow. You can get SailPointIdentityNow custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "This Solution installs the data connector for SailPoint IdentityNow (via Codeless Connector Framework). You can get SailPoint IdentityNow (via Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", "options": { "link": { "label": "Learn more about connecting data sources", "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" } } } ] }, { "name": "analytics", "label": "Analytics", "subLabel": { "preValidation": "Configure the analytics", "postValidation": "Done" }, "bladeTitle": "Analytics", "elements": [ { "name": "analytics-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." } }, { "name": "analytics-link", "type": "Microsoft.Common.TextBlock", "options": { "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" } } }, { "name": "analytic1", "type": "Microsoft.Common.Section", "label": "SailPointIdentityNowAlertForTriggers", "elements": [ { "name": "analytic1-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Create alerts for SailPoint IdentityNow Event Trigger Service." } } ] }, { "name": "analytic2", "type": "Microsoft.Common.Section", "label": "SailPointIdentityNowEventType", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Created to detect failed events of particular type from SailPointIDN_Events." } } ] }, { "name": "analytic3", "type": "Microsoft.Common.Section", "label": "SailPointIdentityNowEventTypeTechnicalName", "elements": [ { "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Created to detect new threat events from the data in SailPointIDN_Events." } } ] }, { "name": "analytic4", "type": "Microsoft.Common.Section", "label": "SailPointIdentityNowFailedEvents", "elements": [ { "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Detects all events with status failed." } } ] }, { "name": "analytic5", "type": "Microsoft.Common.Section", "label": "SailPointIdentityNowFailedEventsBasedOnTime", "elements": [ { "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Detects failed events based on created time." } } ] }, { "name": "analytic6", "type": "Microsoft.Common.Section", "label": "SailPointIdentityNowUserWithFailedEvent", "elements": [ { "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Detects any failed event for a particular user." } } ] } ] }, { "name": "playbooks", "label": "Playbooks", "subLabel": { "preValidation": "Configure the playbooks", "postValidation": "Done" }, "bladeTitle": "Playbooks", "elements": [ { "name": "playbooks-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." } }, { "name": "playbooks-link", "type": "Microsoft.Common.TextBlock", "options": { "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" } } } ] } ], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", "workspace": "[basics('workspace')]" } } }