![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/dynatrace.svg\")
",
- "Description": "- Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/ReleaseNotes.md)\r\n\r\nDynatrace is a leading observability platform that provides automatic and intelligent observability at scale for cloud-native and enterprise workloads; with Dynatrace Application Security, your DevSecOps teams can resolve security issues faster, accelerating software delivery.\r\nIntegrating Dynatrace with Microsoft Sentinel enables DevSecOps teams to detect, prioritize, triage, and remediate attacks rapidly. DevSecOps teams benefit from the high-accuracy threat signals Dynatrace surfaces. It helps them avoid time-consuming investigation activities, freeing them up for more critical tasks.\r\nMicrosoft Sentinel data connectors poll Dynatrace for new [attacks, vulnerabilities, audit logs](https://www.dynatrace.com/platform/application-security/), and [problem events](https://docs.dynatrace.com/docs/shortlink/davis-ai-landing).\r\n\r\n**Included data connectors:**\r\n- **Attacks**, Common attacks on application layer vulnerabilities which can be detected and blocked using Dynatrace, like SQL injection, command injection, and JNDI attacks.\r\n- **Runtime vulnerabilities**, Software vulnerabilities detected throughout all layers of the application stack.\r\n- **Audit logs**, Security-relevant events for a Dynatrace tenant.\r\n- **Problems**, AI-powered observability problems raised across cloud and hybrid environments.\r\n\r\n[Learn More about Dynatrace](https://www.dynatrace.com/) | [Dynatrace Docs](https://docs.dynatrace.com/docs)",
+ "Description": "Dynatrace is a leading observability platform that provides automatic and intelligent observability at scale for cloud-native and enterprise workloads; with Dynatrace Application Security, your DevSecOps teams can resolve security issues faster, accelerating software delivery.\r\nIntegrating Dynatrace with Microsoft Sentinel enables DevSecOps teams to detect, prioritize, triage, and remediate attacks rapidly. DevSecOps teams benefit from the high-accuracy threat signals Dynatrace surfaces. It helps them avoid time-consuming investigation activities, freeing them up for more critical tasks.\r\nMicrosoft Sentinel data connectors poll Dynatrace for new [attacks, vulnerabilities, audit logs](https://www.dynatrace.com/platform/application-security/), and [problem events](https://docs.dynatrace.com/docs/shortlink/davis-ai-landing).\r\n\r\n**Included data connectors:**\r\n- **Attacks**, Common attacks on application layer vulnerabilities which can be detected and blocked using Dynatrace, like SQL injection, command injection, and JNDI attacks.\r\n- **Runtime vulnerabilities**, Software vulnerabilities detected throughout all layers of the application stack.\r\n- **Audit logs**, Security-relevant events for a Dynatrace tenant.\r\n- **Problems**, AI-powered observability problems raised across cloud and hybrid environments.\r\n\r\n[Learn More about Dynatrace](https://www.dynatrace.com/) | [Dynatrace Docs](https://docs.dynatrace.com/docs)\r\n\r\n**Underlying Microsoft Technologies used:**\r\n\r\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\r\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/overview)\r\n\r\nb. [Azure Logic Apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-overview)",
"WorkbookBladeDescription": "This solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view. ",
"PlaybooksBladeDescription": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view. ",
@@ -26,10 +26,14 @@
"Playbooks/Ingest-DynatraceMSSentinelSecurityAlerts/azuredeploy.json"
],
"Data Connectors": [
- "Data Connectors/Connector_Dynatrace_Attacks.json",
- "Data Connectors/Connector_Dynatrace_RuntimeVulnerabilities.json",
- "Data Connectors/Connector_Dynatrace_Problems.json",
- "Data Connectors/Connector_Dynatrace_AuditLogs.json"
+ "Data Connectors/DynatraceAttacksV1/Connector_Dynatrace_Attacks.json",
+ "Data Connectors/DynatraceAttacksV2/Connector_Dynatrace_Attacks_Definition.json",
+ "Data Connectors/DynatraceAuditLogsV1/Connector_Dynatrace_AuditLogs.json",
+ "Data Connectors/DynatraceAuditLogsV2/Connector_Dynatrace_AuditLogs_Definition.json",
+ "Data Connectors/DynatraceProblemsV1/Connector_Dynatrace_Problems.json",
+ "Data Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_Definition.json",
+ "Data Connectors/DynatraceRuntimeVulnerabilitiesV1/Connector_Dynatrace_RuntimeVulnerabilities.json",
+ "Data Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_Definition.json"
],
"Parsers": [
"Parsers/DynatraceAttacks.yaml",
diff --git a/Solutions/Dynatrace/Package/3.0.2.zip b/Solutions/Dynatrace/Package/3.0.2.zip
new file mode 100644
index 00000000000..b7b615f9b6b
Binary files /dev/null and b/Solutions/Dynatrace/Package/3.0.2.zip differ
diff --git a/Solutions/Dynatrace/Package/createUiDefinition.json b/Solutions/Dynatrace/Package/createUiDefinition.json
index d6acbb79da0..e05aa4dfabd 100644
--- a/Solutions/Dynatrace/Package/createUiDefinition.json
+++ b/Solutions/Dynatrace/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Dynatrace/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n- Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/ReleaseNotes.md)\r\n\r\nDynatrace is a leading observability platform that provides automatic and intelligent observability at scale for cloud-native and enterprise workloads; with Dynatrace Application Security, your DevSecOps teams can resolve security issues faster, accelerating software delivery.\r\nIntegrating Dynatrace with Microsoft Sentinel enables DevSecOps teams to detect, prioritize, triage, and remediate attacks rapidly. DevSecOps teams benefit from the high-accuracy threat signals Dynatrace surfaces. It helps them avoid time-consuming investigation activities, freeing them up for more critical tasks.\r\nMicrosoft Sentinel data connectors poll Dynatrace for new [attacks, vulnerabilities, audit logs](https://www.dynatrace.com/platform/application-security/), and [problem events](https://docs.dynatrace.com/docs/shortlink/davis-ai-landing).\r\n\r\n**Included data connectors:**\r\n- **Attacks**, Common attacks on application layer vulnerabilities which can be detected and blocked using Dynatrace, like SQL injection, command injection, and JNDI attacks.\r\n- **Runtime vulnerabilities**, Software vulnerabilities detected throughout all layers of the application stack.\r\n- **Audit logs**, Security-relevant events for a Dynatrace tenant.\r\n- **Problems**, AI-powered observability problems raised across cloud and hybrid environments.\r\n\r\n[Learn More about Dynatrace](https://www.dynatrace.com/) | [Dynatrace Docs](https://docs.dynatrace.com/docs)\n\n**Data Connectors:** 4, **Parsers:** 4, **Workbooks:** 1, **Analytic Rules:** 5, **Playbooks:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Dynatrace/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nDynatrace is a leading observability platform that provides automatic and intelligent observability at scale for cloud-native and enterprise workloads; with Dynatrace Application Security, your DevSecOps teams can resolve security issues faster, accelerating software delivery.\r\nIntegrating Dynatrace with Microsoft Sentinel enables DevSecOps teams to detect, prioritize, triage, and remediate attacks rapidly. DevSecOps teams benefit from the high-accuracy threat signals Dynatrace surfaces. It helps them avoid time-consuming investigation activities, freeing them up for more critical tasks.\r\nMicrosoft Sentinel data connectors poll Dynatrace for new [attacks, vulnerabilities, audit logs](https://www.dynatrace.com/platform/application-security/), and [problem events](https://docs.dynatrace.com/docs/shortlink/davis-ai-landing).\r\n\r\n**Included data connectors:**\r\n- **Attacks**, Common attacks on application layer vulnerabilities which can be detected and blocked using Dynatrace, like SQL injection, command injection, and JNDI attacks.\r\n- **Runtime vulnerabilities**, Software vulnerabilities detected throughout all layers of the application stack.\r\n- **Audit logs**, Security-relevant events for a Dynatrace tenant.\r\n- **Problems**, AI-powered observability problems raised across cloud and hybrid environments.\r\n\r\n[Learn More about Dynatrace](https://www.dynatrace.com/) | [Dynatrace Docs](https://docs.dynatrace.com/docs)\r\n\r\n**Underlying Microsoft Technologies used:**\r\n\r\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\r\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/overview)\r\n\r\nb. [Azure Logic Apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-overview)\n\n**Data Connectors:** 8, **Parsers:** 4, **Workbooks:** 1, **Analytic Rules:** 5, **Playbooks:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,95 @@
"text": "This Solution installs the data connector for Dynatrace. You can get Dynatrace custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
+ {
+ "name": "dataconnectors2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace Attacks V2. You can get Dynatrace Attacks V2 data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ },
+ {
+ "name": "dataconnectors3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace Audit Logs V2. You can get Dynatrace Audit Logs V2 data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link3",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ },
+ {
+ "name": "dataconnectors4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace Problems V2. You can get Dynatrace Problems V2 data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link4",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ },
+ {
+ "name": "dataconnectors5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace Runtime Vulnerabilities V2. You can get Dynatrace Runtime Vulnerabilities V2 data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link5",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ },
+ {
+ "name": "dataconnectors6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace. You can get Dynatrace custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace. You can get Dynatrace custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dynatrace. You can get Dynatrace custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
@@ -71,7 +160,7 @@
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link8",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
@@ -257,4 +346,4 @@
"workspace": "[basics('workspace')]"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Dynatrace/Package/mainTemplate.json b/Solutions/Dynatrace/Package/mainTemplate.json
index 38ff3473a88..326037d66dd 100644
--- a/Solutions/Dynatrace/Package/mainTemplate.json
+++ b/Solutions/Dynatrace/Package/mainTemplate.json
@@ -35,13 +35,27 @@
"metadata": {
"description": "Name for the workbook"
}
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
}
},
"variables": {
"email": "microsoftalliances@dynatrace.com",
"_email": "[variables('email')]",
"_solutionName": "Dynatrace",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "dynatrace.dynatrace_azure_sentinel",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "3.0.1",
@@ -59,32 +73,32 @@
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b0b2065-8bac-5a00-83c4-1b58f69ac212','-', '1.0.1')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "305093b4-0fa2-57bc-bced-caea782a6e9c",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '305093b4-0fa2-57bc-bced-caea782a6e9c')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('305093b4-0fa2-57bc-bced-caea782a6e9c')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','305093b4-0fa2-57bc-bced-caea782a6e9c','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','305093b4-0fa2-57bc-bced-caea782a6e9c','-', '1.0.4')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
+ "analyticRuleVersion3": "1.0.3",
"_analyticRulecontentId3": "af99b078-124b-543a-9a50-66ef87c09f6a",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'af99b078-124b-543a-9a50-66ef87c09f6a')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('af99b078-124b-543a-9a50-66ef87c09f6a')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','af99b078-124b-543a-9a50-66ef87c09f6a','-', '1.0.1')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','af99b078-124b-543a-9a50-66ef87c09f6a','-', '1.0.3')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.1",
+ "analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "ff0af873-a2f2-4233-8412-0ef4e00b0156",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ff0af873-a2f2-4233-8412-0ef4e00b0156')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ff0af873-a2f2-4233-8412-0ef4e00b0156')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ff0af873-a2f2-4233-8412-0ef4e00b0156','-', '1.0.1')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ff0af873-a2f2-4233-8412-0ef4e00b0156','-', '1.0.3')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.1",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "415978ff-074e-4203-824a-b06153d77bf7",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '415978ff-074e-4203-824a-b06153d77bf7')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('415978ff-074e-4203-824a-b06153d77bf7')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','415978ff-074e-4203-824a-b06153d77bf7','-', '1.0.1')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','415978ff-074e-4203-824a-b06153d77bf7','-', '1.0.3')))]"
},
"Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence": "Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence",
"_Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence": "[variables('Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence')]",
@@ -143,59 +157,77 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "DynatraceRuntimeVulnerabilities",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "DynatraceRuntimeVulnerabilities",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
- "uiConfigId3": "DynatraceProblems",
- "_uiConfigId3": "[variables('uiConfigId3')]",
- "dataConnectorContentId3": "DynatraceProblems",
- "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]",
- "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
- "_dataConnectorId3": "[variables('dataConnectorId3')]",
- "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]",
- "dataConnectorVersion3": "1.0.0",
- "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]",
- "uiConfigId4": "DynatraceAuditLogs",
- "_uiConfigId4": "[variables('uiConfigId4')]",
- "dataConnectorContentId4": "DynatraceAuditLogs",
- "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]",
- "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
- "_dataConnectorId4": "[variables('dataConnectorId4')]",
- "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]",
- "dataConnectorVersion4": "1.0.0",
- "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]",
+ "dataConnectorCCPVersion": "3.0.2",
+ "_dataConnectorContentIdConnectorDefinition2": "DynatraceAttacksCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "_dataConnectorContentIdConnections2": "DynatraceAttacksCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "_dataConnectorContentIdConnectorDefinition3": "DynatraceAuditLogsCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "_dataConnectorContentIdConnections3": "DynatraceAuditLogsCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections3')))]",
+ "_dataConnectorContentIdConnectorDefinition4": "DynatraceProblemsCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition4": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition4')))]",
+ "_dataConnectorContentIdConnections4": "DynatraceProblemsCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections4": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections4')))]",
+ "_dataConnectorContentIdConnectorDefinition5": "DTRunVulnCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition5": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition5')))]",
+ "_dataConnectorContentIdConnections5": "DTRunVulnCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections5": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections5')))]",
+ "uiConfigId6": "DynatraceAuditLogs",
+ "_uiConfigId6": "[variables('uiConfigId6')]",
+ "dataConnectorContentId6": "DynatraceAuditLogs",
+ "_dataConnectorContentId6": "[variables('dataConnectorContentId6')]",
+ "dataConnectorId6": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+ "_dataConnectorId6": "[variables('dataConnectorId6')]",
+ "dataConnectorTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId6'))))]",
+ "dataConnectorVersion6": "1.0.0",
+ "_dataConnectorcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId6'),'-', variables('dataConnectorVersion6'))))]",
+ "uiConfigId7": "DynatraceProblems",
+ "_uiConfigId7": "[variables('uiConfigId7')]",
+ "dataConnectorContentId7": "DynatraceProblems",
+ "_dataConnectorContentId7": "[variables('dataConnectorContentId7')]",
+ "dataConnectorId7": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+ "_dataConnectorId7": "[variables('dataConnectorId7')]",
+ "dataConnectorTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId7'))))]",
+ "dataConnectorVersion7": "1.0.0",
+ "_dataConnectorcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId7'),'-', variables('dataConnectorVersion7'))))]",
+ "uiConfigId8": "DynatraceRuntimeVulnerabilities",
+ "_uiConfigId8": "[variables('uiConfigId8')]",
+ "dataConnectorContentId8": "DynatraceRuntimeVulnerabilities",
+ "_dataConnectorContentId8": "[variables('dataConnectorContentId8')]",
+ "dataConnectorId8": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+ "_dataConnectorId8": "[variables('dataConnectorId8')]",
+ "dataConnectorTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId8'))))]",
+ "dataConnectorVersion8": "1.0.0",
+ "_dataConnectorcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId8'),'-', variables('dataConnectorVersion8'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','DynatraceAttacks')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DynatraceAttacks')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DynatraceAttacks-Parser')))]",
- "parserVersion1": "1.0.0",
+ "parserVersion1": "2.0.0",
"parserContentId1": "DynatraceAttacks-Parser"
},
"parserObject2": {
"_parserName2": "[concat(parameters('workspace'),'/','DynatraceAuditLogs')]",
"_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DynatraceAuditLogs')]",
"parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DynatraceAuditLogs-Parser')))]",
- "parserVersion2": "1.0.0",
+ "parserVersion2": "2.0.0",
"parserContentId2": "DynatraceAuditLogs-Parser"
},
"parserObject3": {
"_parserName3": "[concat(parameters('workspace'),'/','DynatraceProblems')]",
"_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DynatraceProblems')]",
"parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DynatraceProblems-Parser')))]",
- "parserVersion3": "1.0.0",
+ "parserVersion3": "2.0.0",
"parserContentId3": "DynatraceProblems-Parser"
},
"parserObject4": {
"_parserName4": "[concat(parameters('workspace'),'/','DynatraceSecurityProblems')]",
"_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DynatraceSecurityProblems')]",
"parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DynatraceSecurityProblems-Parser')))]",
- "parserVersion4": "1.0.0",
+ "parserVersion4": "2.0.0",
"parserContentId4": "DynatraceSecurityProblems-Parser"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
@@ -210,7 +242,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dynatrace Workbook with template version 3.0.1",
+ "description": "Dynatrace Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -322,7 +354,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceApplicationSecurity_AttackDetection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DynatraceApplicationSecurity_AttackDetection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -350,10 +382,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DynatraceAttacks",
"dataTypes": [
"DynatraceAttacks"
- ]
+ ],
+ "connectorId": "DynatraceAttacks"
}
],
"tactics": [
@@ -373,8 +405,8 @@
"entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "host"
+ "columnName": "host",
+ "identifier": "HostName"
}
]
},
@@ -382,8 +414,8 @@
"entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "url"
+ "columnName": "url",
+ "identifier": "Url"
}
]
},
@@ -391,8 +423,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "sourceIp"
+ "columnName": "sourceIp",
+ "identifier": "Address"
}
]
}
@@ -401,23 +433,23 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackIdentifier": "AttackId",
+ "AttackType": "AttackType",
"AttackState": "State",
"DisplayIdentifier": "DisplayId",
- "AttackType": "AttackType"
+ "AttackIdentifier": "AttackId"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}",
"alertDescriptionFormat": "Dynatrace has detected an ongoing attack in your environment which was {{State}}.\n"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
+ "lookbackDuration": "P7D",
"enabled": true,
- "reopenClosedIncident": true,
- "lookbackDuration": "P7D"
- },
- "createIncident": true
+ "reopenClosedIncident": true
+ }
}
}
},
@@ -472,7 +504,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceApplicationSecurity_CodeLevelVulnerabilityDetection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DynatraceApplicationSecurity_CodeLevelVulnerabilityDetection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -500,10 +532,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DynatraceRuntimeVulnerabilities",
"dataTypes": [
"DynatraceSecurityProblems"
- ]
+ ],
+ "connectorId": "DynatraceRuntimeVulnerabilities"
}
],
"tactics": [
@@ -515,13 +547,22 @@
"Persistence",
"PrivilegeEscalation"
],
+ "techniques": [
+ "T1140",
+ "T1059",
+ "T1565",
+ "T1659",
+ "T1210",
+ "T1554",
+ "T1548"
+ ],
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "Url"
+ "columnName": "Url",
+ "identifier": "Url"
}
]
}
@@ -531,20 +572,20 @@
},
"customDetails": {
"DAVISPublicExploit": "DAVISPublicExploit",
- "DAVISRiskLevel": "DAVISRiskLevel",
+ "DAVISRiskScore": "DAVISRiskScore",
+ "SecurityProblemUrl": "Url",
+ "VulnerabilityType": "VulnerabilityType",
+ "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
+ "SecProbIdentifier": "SecurityProblemId",
+ "CVEIds": "CVEIds",
"PackageName": "PackageName",
- "Technology": "Technology",
+ "DisplayIdentifier": "DisplayId",
+ "DAVISDataAssets": "DAVISDataAssets",
"ExternVulnIdentifier": "ExternalVulnerabilityId",
"DAVISExposure": "DAVISExposure",
"DAVISRiskVector": "DAVISRiskVector",
- "VulnerabilityType": "VulnerabilityType",
- "DisplayIdentifier": "DisplayId",
- "DAVISRiskScore": "DAVISRiskScore",
- "DAVISDataAssets": "DAVISDataAssets",
- "SecProbIdentifier": "SecurityProblemId",
- "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
- "SecurityProblemUrl": "Url",
- "CVEIds": "CVEIds"
+ "Technology": "Technology",
+ "DAVISRiskLevel": "DAVISRiskLevel"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Dynatrace Code-Level runtime vulnerability detected - {{DisplayId}} : {{Title}}",
@@ -552,13 +593,13 @@
"alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": false,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
+ "lookbackDuration": "PT5H",
"enabled": false,
- "reopenClosedIncident": false,
- "lookbackDuration": "PT5H"
- },
- "createIncident": false
+ "reopenClosedIncident": false
+ }
}
}
},
@@ -613,7 +654,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -641,10 +682,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DynatraceRuntimeVulnerabilities",
"dataTypes": [
"DynatraceSecurityProblems"
- ]
+ ],
+ "connectorId": "DynatraceRuntimeVulnerabilities"
}
],
"tactics": [
@@ -656,13 +697,22 @@
"Persistence",
"PrivilegeEscalation"
],
+ "techniques": [
+ "T1140",
+ "T1059",
+ "T1565",
+ "T1659",
+ "T1210",
+ "T1554",
+ "T1548"
+ ],
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "Url"
+ "columnName": "Url",
+ "identifier": "Url"
}
]
}
@@ -672,20 +722,20 @@
},
"customDetails": {
"DAVISPublicExploit": "DAVISPublicExploit",
- "DAVISRiskLevel": "DAVISRiskLevel",
+ "DAVISRiskScore": "DAVISRiskScore",
+ "SecurityProblemUrl": "Url",
+ "VulnerabilityType": "VulnerabilityType",
+ "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
+ "SecProbIdentifier": "SecurityProblemId",
+ "CVEIds": "CVEIds",
"PackageName": "PackageName",
- "Technology": "Technology",
+ "DisplayIdentifier": "DisplayId",
+ "DAVISDataAssets": "DAVISDataAssets",
"ExternVulnIdentifier": "ExternalVulnerabilityId",
"DAVISExposure": "DAVISExposure",
"DAVISRiskVector": "DAVISRiskVector",
- "VulnerabilityType": "VulnerabilityType",
- "DisplayIdentifier": "DisplayId",
- "DAVISRiskScore": "DAVISRiskScore",
- "DAVISDataAssets": "DAVISDataAssets",
- "SecProbIdentifier": "SecurityProblemId",
- "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
- "SecurityProblemUrl": "Url",
- "CVEIds": "CVEIds"
+ "Technology": "Technology",
+ "DAVISRiskLevel": "DAVISRiskLevel"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Dynatrace Third-party runtime vulnerability detected - {{DisplayId}} : {{Title}}",
@@ -693,13 +743,13 @@
"alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": false,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
+ "lookbackDuration": "PT5H",
"enabled": false,
- "reopenClosedIncident": false,
- "lookbackDuration": "PT5H"
- },
- "createIncident": false
+ "reopenClosedIncident": false
+ }
}
}
},
@@ -754,7 +804,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceApplicationSecurity_NonCriticalVulnerabilityDetection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DynatraceApplicationSecurity_NonCriticalVulnerabilityDetection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -782,10 +832,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DynatraceRuntimeVulnerabilities",
"dataTypes": [
"DynatraceSecurityProblems"
- ]
+ ],
+ "connectorId": "DynatraceRuntimeVulnerabilities"
}
],
"tactics": [
@@ -797,25 +847,34 @@
"Persistence",
"PrivilegeEscalation"
],
+ "techniques": [
+ "T1140",
+ "T1059",
+ "T1565",
+ "T1659",
+ "T1210",
+ "T1554",
+ "T1548"
+ ],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"DAVISPublicExploit": "DAVISPublicExploit",
- "DAVISRiskLevel": "DAVISRiskLevel",
+ "DAVISRiskScore": "DAVISRiskScore",
+ "SecurityProblemUrl": "Url",
+ "VulnerabilityType": "VulnerabilityType",
+ "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
+ "SecProbIdentifier": "SecurityProblemId",
+ "CVEIds": "CVEIds",
"PackageName": "PackageName",
- "Technology": "Technology",
+ "DisplayIdentifier": "DisplayId",
+ "DAVISDataAssets": "DAVISDataAssets",
"ExternVulnIdentifier": "ExternalVulnerabilityId",
"DAVISExposure": "DAVISExposure",
"DAVISRiskVector": "DAVISRiskVector",
- "VulnerabilityType": "VulnerabilityType",
- "DisplayIdentifier": "DisplayId",
- "DAVISRiskScore": "DAVISRiskScore",
- "DAVISDataAssets": "DAVISDataAssets",
- "SecProbIdentifier": "SecurityProblemId",
- "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
- "SecurityProblemUrl": "Url",
- "CVEIds": "CVEIds"
+ "Technology": "Technology",
+ "DAVISRiskLevel": "DAVISRiskLevel"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Dynatrace Non-critical runtime vulnerability detected - {{DisplayId}} : {{Title}}",
@@ -823,13 +882,13 @@
"alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": false,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
+ "lookbackDuration": "PT5H",
"enabled": false,
- "reopenClosedIncident": false,
- "lookbackDuration": "PT5H"
- },
- "createIncident": false
+ "reopenClosedIncident": false
+ }
}
}
},
@@ -884,7 +943,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dynatrace_ProblemDetection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "Dynatrace_ProblemDetection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -912,20 +971,38 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DynatraceProblems",
"dataTypes": [
"DynatraceProblems"
- ]
+ ],
+ "connectorId": "DynatraceProblems"
}
],
+ "tactics": [
+ "DefenseEvasion",
+ "Execution",
+ "Impact",
+ "InitialAccess",
+ "LateralMovement",
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1140",
+ "T1059",
+ "T1565",
+ "T1659",
+ "T1210",
+ "T1554",
+ "T1548"
+ ],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "ProblemIdentifier": "ProblemId",
- "ImpactLevel": "ImpactLevel",
"SeverityLevel": "SeverityLevel",
- "DisplayIdentifier": "DisplayId"
+ "ProblemIdentifier": "ProblemId",
+ "DisplayIdentifier": "DisplayId",
+ "ImpactLevel": "ImpactLevel"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Dynatrace problem detected - {{DisplayId}} : {{Title}}",
@@ -933,13 +1010,13 @@
"alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": false,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
+ "lookbackDuration": "PT5H",
"enabled": false,
- "reopenClosedIncident": false,
- "lookbackDuration": "PT5H"
- },
- "createIncident": false
+ "reopenClosedIncident": false
+ }
}
}
},
@@ -994,7 +1071,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AddDynatraceApplicationSecSrcIPAddressTI Playbook with template version 3.0.1",
+ "description": "AddDynatraceApplicationSecSrcIPAddressTI Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -1521,7 +1598,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EnrichDynatraceApplicationSecAttackIncident Playbook with template version 3.0.1",
+ "description": "EnrichDynatraceApplicationSecAttackIncident Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -2179,7 +2256,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EnrichDynatraceAppSecAttackMSDefenderXDR Playbook with template version 3.0.1",
+ "description": "EnrichDynatraceAppSecAttackMSDefenderXDR Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -3202,7 +3279,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EnrichDynatraceAppSecAttackWithSecAlerts Playbook with template version 3.0.1",
+ "description": "EnrichDynatraceAppSecAttackWithSecAlerts Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -4235,7 +4312,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IngestDynatraceMSDefenderXDR Playbook with template version 3.0.1",
+ "description": "IngestDynatraceMSDefenderXDR Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -4725,7 +4802,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IngestDynatraceMSSentinelSecurityAlerts Playbook with template version 3.0.1",
+ "description": "IngestDynatraceMSSentinelSecurityAlerts Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -5217,7 +5294,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dynatrace data connector with template version 3.0.1",
+ "description": "Dynatrace data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -5233,7 +5310,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Dynatrace Attacks",
+ "title": "Dynatrace Attacks V1",
"publisher": "Dynatrace",
"descriptionMarkdown": "This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
@@ -5346,7 +5423,7 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/attacks"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/attacks"
},
"queryParameters": {
"fields": "+attacker,+request,+entrypoint,+vulnerability,+managementZones"
@@ -5404,7 +5481,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
- "displayName": "Dynatrace Attacks",
+ "displayName": "Dynatrace Attacks V1",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
@@ -5449,7 +5526,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Dynatrace Attacks",
+ "title": "Dynatrace Attacks V1",
"publisher": "Dynatrace",
"descriptionMarkdown": "This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
@@ -5562,7 +5639,7 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/attacks"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/attacks"
},
"queryParameters": {
"fields": "+attacker,+request,+entrypoint,+vulnerability,+managementZones"
@@ -5588,87 +5665,71 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dynatrace data connector with template version 3.0.1",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "displayName": "Dynatrace Attacks V2",
+ "contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
- "kind": "APIPolling",
+ "kind": "Customizable",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "Dynatrace Runtime Vulnerabilities",
+ "id": "DynatraceAttacksCCPDefinition",
+ "title": "Dynatrace Attacks V2",
"publisher": "Dynatrace",
- "descriptionMarkdown": "This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.",
+ "descriptionMarkdown": "This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
- "graphQueriesTableName": "DynatraceSecurityProblems_CL",
+ "graphQueriesTableName": "DynatraceAttacksV2_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Dynatrace Vulnerabilities Events",
+ "legend": "Dynatrace Attack Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
- "description": "All Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "All Third-Party Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"THIRD_PARTY\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "All Code-level Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"CODE_LEVEL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "All Runtime Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"RUNTIME\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "Critical Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"CRITICAL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ "description": "All Attack Events",
+ "query": "DynatraceAttacks\n| summarize arg_max(TimeStamp, *) by AttackId\n| take 10"
},
{
- "description": "High Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"HIGH\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ "description": "All Exploited Attack Events",
+ "query": "DynatraceAttacks\n| where State == \"EXPLOITED\"\n| summarize arg_max(TimeStamp, *) by AttackId\n| take 10"
},
{
- "description": "Count Vulnerability Events by Technology and Vulnerability",
- "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| summarize count() by Technology, ExternalVulnerabilityId\n| take 10"
+ "description": "Count Attacks by Type",
+ "query": "DynatraceAttacks\n| summarize arg_max(TimeStamp, *) by AttackId\n| summarize count() by AttackType\n| take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
- "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
- "type": "SentinelKindsV2",
- "value": [
- "APIPolling"
- ]
+ "type": "HasDataConnectors",
+ "value": null
}
],
"availability": {
"status": 1,
- "isPreview": false
+ "isPreview": true
},
"permissions": {
"resourceProvider": [
@@ -5691,90 +5752,65 @@
},
{
"name": "Dynatrace Access Token",
- "description": "You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope."
+ "description": "You need a Dynatrace Access Token, the token should have ***Read attacks*** (attacks.read) scope."
}
]
},
"instructionSteps": [
{
+ "title": "Dynatrace Attack Events to Microsoft Sentinel",
"description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
"instructions": [
{
"parameters": {
"enable": "true",
- "userRequestPlaceHoldersInput": [
- {
- "displayText": "Dynatrace tenant (ex. xyz.dynatrace.com)",
- "requestObjectKey": "apiEndpoint",
- "placeHolderName": "{{dynatraceEnvironmentUrl}}"
- }
- ]
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
},
- "type": "APIKey"
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
}
- ],
- "title": "Dynatrace Vulnerabilities Events to Microsoft Sentinel"
+ ]
}
],
"metadata": {
- "version": "1.0.0",
+ "version": "1.0.2",
"kind": "dataConnector"
}
- },
- "pollingConfig": {
- "auth": {
- "authType": "APIKey",
- "APIKeyIdentifier": "Api-Token",
- "APIKeyName": "Authorization"
- },
- "request": {
- "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/securityProblems",
- "httpMethod": "Get",
- "rateLimitQPS": 2,
- "retryCount": 3,
- "timeoutInSeconds": 120,
- "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
- "queryWindowInMin": 5,
- "startTimeAttributeName": "from",
- "endTimeAttributeName": "to",
- "headers": {
- "Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/securityproblems"
- },
- "queryParameters": {
- "fields": "+riskAssessment,+managementZones,+codeLevelVulnerabilityDetails"
- }
- },
- "paging": {
- "pagingType": "NextPageToken",
- "pagingQueryParamOnly": true,
- "nextPageTokenJsonPath": "$.nextPageKey",
- "nextPageParaName": "nextPageKey",
- "pageSizeParaName": "pageSize",
- "pageSize": 10
- },
- "response": {
- "eventsJsonPaths": [
- "$.securityProblems"
- ],
- "convertChildPropertiesToArray": true
- }
}
}
},
{
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Dynatrace",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
"name": "Dynatrace",
@@ -5785,109 +5821,2982 @@
"email": "microsoftalliances@dynatrace.com",
"tier": "Partner",
"link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
}
}
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "Dynatrace Runtime Vulnerabilities",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Dynatrace",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Dynatrace",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Dynatrace",
- "email": "microsoftalliances@dynatrace.com",
- "tier": "Partner",
- "link": "https://www.dynatrace.com/services-support/"
- }
- }
- },
+ },
+ {
+ "name": "DTAttacksV2DCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-DynatraceAttacksV2": {
+ "columns": [
+ {
+ "name": "timestamp",
+ "type": "long"
+ },
+ {
+ "name": "attackId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "displayName",
+ "type": "string"
+ },
+ {
+ "name": "attackType",
+ "type": "string"
+ },
+ {
+ "name": "technology",
+ "type": "string"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "affectedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "request",
+ "type": "dynamic"
+ },
+ {
+ "name": "entrypoint",
+ "type": "dynamic"
+ },
+ {
+ "name": "vulnerability",
+ "type": "dynamic"
+ },
+ {
+ "name": "attacker",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-DynatraceAttacksV2"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "let fromUnixTime = (t: long) {\ndatetime(1970-01-01) + t * 1ms\n};\nsource | extend TimeGenerated = fromUnixTime(timestamp) | project-away timestamp",
+ "outputStream": "Custom-DynatraceAttacksV2_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+ },
+ {
+ "name": "DynatraceAttacksV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceAttacksV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "attackId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "displayName",
+ "type": "string"
+ },
+ {
+ "name": "attackType",
+ "type": "string"
+ },
+ {
+ "name": "technology",
+ "type": "string"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "affectedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "request",
+ "type": "dynamic"
+ },
+ {
+ "name": "entrypoint",
+ "type": "dynamic"
+ },
+ {
+ "name": "vulnerability",
+ "type": "dynamic"
+ },
+ {
+ "name": "attacker",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DynatraceAuditLogsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceAuditLogsV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "logId",
+ "type": "string"
+ },
+ {
+ "name": "eventType",
+ "type": "string"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "entityId",
+ "type": "string"
+ },
+ {
+ "name": "environmentId",
+ "type": "string"
+ },
+ {
+ "name": "user",
+ "type": "string"
+ },
+ {
+ "name": "userType",
+ "type": "string"
+ },
+ {
+ "name": "userOrigin",
+ "type": "string"
+ },
+ {
+ "name": "success",
+ "type": "boolean"
+ },
+ {
+ "name": "patch",
+ "type": "dynamic"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DynatraceProblemsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceProblemsV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "problemId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "problemTitle",
+ "type": "string"
+ },
+ {
+ "name": "impactLevel",
+ "type": "string"
+ },
+ {
+ "name": "severityLevel",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "affectedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "impactedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "rootCauseEntity",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ },
+ {
+ "name": "entityTags",
+ "type": "dynamic"
+ },
+ {
+ "name": "problemFilters",
+ "type": "dynamic"
+ },
+ {
+ "name": "startTimeUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "endTimeUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "evidenceDetails",
+ "type": "dynamic"
+ },
+ {
+ "name": "recentComments",
+ "type": "dynamic"
+ },
+ {
+ "name": "impactAnalysis",
+ "type": "dynamic"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DynatraceSecurityProblemsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceSecurityProblemsV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "securityProblemId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "muted",
+ "type": "boolean"
+ },
+ {
+ "name": "externalVulnerabilityId",
+ "type": "string"
+ },
+ {
+ "name": "vulnerabilityType",
+ "type": "string"
+ },
+ {
+ "name": "securityProblemTitle",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "technology",
+ "type": "string"
+ },
+ {
+ "name": "firstSeenTimestampUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "lastUpdatedTimestampUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "lastOpenedTimestampUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "riskAssessment",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ },
+ {
+ "name": "cveIds",
+ "type": "dynamic"
+ },
+ {
+ "name": "muteStateChangeInProgress",
+ "type": "string"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DynatraceAttacksCCPDefinition",
+ "title": "Dynatrace Attacks V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceAttacksV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Attack Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Attack Events",
+ "query": "DynatraceAttacks\n| summarize arg_max(TimeStamp, *) by AttackId\n| take 10"
+ },
+ {
+ "description": "All Exploited Attack Events",
+ "query": "DynatraceAttacks\n| where State == \"EXPLOITED\"\n| summarize arg_max(TimeStamp, *) by AttackId\n| take 10"
+ },
+ {
+ "description": "Count Attacks by Type",
+ "query": "DynatraceAttacks\n| summarize arg_max(TimeStamp, *) by AttackId\n| summarize count() by AttackType\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read attacks*** (attacks.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Attack Events to Microsoft Sentinel",
+ "description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "displayName": "Dynatrace Attacks V2",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Dynatrace Attacks V2",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "dynatraceEnvironmentUrl": {
+ "defaultValue": "dynatraceEnvironmentUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "dynatraceAccessToken": {
+ "defaultValue": "dynatraceAccessToken",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'DynatraceAttacksV2', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DynatraceAttacksCCPDefinition",
+ "dataType": "DynatraceAttacksV2_CL",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('dynatraceAccessToken')]",
+ "APIKeyIdentifier": "Api-Token",
+ "APIKeyName": "Authorization"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://',parameters('dynatraceEnvironmentUrl'),'/api/v2/attacks')]",
+ "httpMethod": "Get",
+ "rateLimitQPS": 2,
+ "retryCount": 3,
+ "timeoutInSeconds": 120,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryWindowInMin": 5,
+ "startTimeAttributeName": "from",
+ "endTimeAttributeName": "to",
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/attacks"
+ },
+ "queryParameters": {
+ "fields": "+attacker,+request,+entrypoint,+vulnerability,+managementZones"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.attacks"
+ ],
+ "convertChildPropertiesToArray": true
+ },
+ "dcrConfig": {
+ "streamName": "Custom-DynatraceAttacksV2",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "pagingQueryParamOnly": true,
+ "nextPageTokenJsonPath": "$.nextPageKey",
+ "nextPageParaName": "nextPageKey"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition3'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]",
+ "displayName": "Dynatrace Audit Logs V2",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DynatraceAuditLogsCCPDefinition",
+ "title": "Dynatrace Audit Logs V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Audit Logs REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/audit-logs) to ingest tenant audit logs into Microsoft Sentinel Log Analytics",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceAuditLogsV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Audit Log Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit Log Events",
+ "query": "DynatraceAuditLogs\n| take 10"
+ },
+ {
+ "description": "User Login Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"LOGIN\"\n and Category == \"WEB_UI\"\n | take 10"
+ },
+ {
+ "description": "Access Token Creation Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"CREATE\"\n and Category == \"TOKEN\"\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read audit logs*** (auditLogs.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Audit Log Events to Microsoft Sentinel",
+ "description": "Enable Dynatrace Audit [Logging](https://docs.dynatrace.com/docs/shortlink/audit-logs#enable-audit-logging). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DTAuditLogs2DCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-DynatraceAuditLogsV2": {
+ "columns": [
+ {
+ "name": "timestamp",
+ "type": "long"
+ },
+ {
+ "name": "logId",
+ "type": "string"
+ },
+ {
+ "name": "eventType",
+ "type": "string"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "entityId",
+ "type": "string"
+ },
+ {
+ "name": "environmentId",
+ "type": "string"
+ },
+ {
+ "name": "user",
+ "type": "string"
+ },
+ {
+ "name": "userType",
+ "type": "string"
+ },
+ {
+ "name": "userOrigin",
+ "type": "string"
+ },
+ {
+ "name": "success",
+ "type": "boolean"
+ },
+ {
+ "name": "patch",
+ "type": "dynamic"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-DynatraceAuditLogsV2"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "let fromUnixTime = (t: long) {\ndatetime(1970-01-01) + t * 1ms\n};\nsource | extend TimeGenerated = fromUnixTime(timestamp) | project-away timestamp",
+ "outputStream": "Custom-DynatraceAuditLogsV2_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+ },
+ {
+ "name": "DynatraceAuditLogsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceAuditLogsV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "logId",
+ "type": "string"
+ },
+ {
+ "name": "eventType",
+ "type": "string"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "entityId",
+ "type": "string"
+ },
+ {
+ "name": "environmentId",
+ "type": "string"
+ },
+ {
+ "name": "user",
+ "type": "string"
+ },
+ {
+ "name": "userType",
+ "type": "string"
+ },
+ {
+ "name": "userOrigin",
+ "type": "string"
+ },
+ {
+ "name": "success",
+ "type": "boolean"
+ },
+ {
+ "name": "patch",
+ "type": "dynamic"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition3'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DynatraceAuditLogsCCPDefinition",
+ "title": "Dynatrace Audit Logs V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Audit Logs REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/audit-logs) to ingest tenant audit logs into Microsoft Sentinel Log Analytics",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceAuditLogsV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Audit Log Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit Log Events",
+ "query": "DynatraceAuditLogs\n| take 10"
+ },
+ {
+ "description": "User Login Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"LOGIN\"\n and Category == \"WEB_UI\"\n | take 10"
+ },
+ {
+ "description": "Access Token Creation Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"CREATE\"\n and Category == \"TOKEN\"\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read audit logs*** (auditLogs.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Audit Log Events to Microsoft Sentinel",
+ "description": "Enable Dynatrace Audit [Logging](https://docs.dynatrace.com/docs/shortlink/audit-logs#enable-audit-logging). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections3'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "displayName": "Dynatrace Audit Logs V2",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Dynatrace Audit Logs V2",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "dynatraceEnvironmentUrl": {
+ "defaultValue": "dynatraceEnvironmentUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "dynatraceAccessToken": {
+ "defaultValue": "dynatraceAccessToken",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections3": "[variables('_dataConnectorContentIdConnections3')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections3')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections3'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'DynatraceAuditLogsV2', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DynatraceAuditLogsCCPDefinition",
+ "dataType": "DynatraceAuditLogsV2_CL",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('dynatraceAccessToken')]",
+ "APIKeyIdentifier": "Api-Token",
+ "APIKeyName": "Authorization"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://',parameters('dynatraceEnvironmentUrl'),'/api/v2/auditlogs')]",
+ "httpMethod": "Get",
+ "rateLimitQPS": 2,
+ "retryCount": 3,
+ "timeoutInSeconds": 120,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryWindowInMin": 5,
+ "startTimeAttributeName": "from",
+ "endTimeAttributeName": "to",
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/auditlogs"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.auditLogs"
+ ],
+ "convertChildPropertiesToArray": true
+ },
+ "dcrConfig": {
+ "streamName": "Custom-DynatraceAuditLogsV2",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "pagingQueryParamOnly": true,
+ "nextPageTokenJsonPath": "$.nextPageKey",
+ "nextPageParaName": "nextPageKey"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections3'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition4'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition4')]",
+ "displayName": "Dynatrace Problems V2",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition4'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DynatraceProblemsCCPDefinition",
+ "title": "Dynatrace Problems V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/problems-v2) to ingest problem events into Microsoft Sentinel Log Analytics",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceProblemsV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Problem Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Problem Events",
+ "query": "DynatraceProblems\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "All Open Problem Events",
+ "query": "DynatraceProblems\n| summarize arg_max(EndTime, *) by ProblemId\n| where isnull(EndTime) or Status == \"OPEN\"\n| take 10"
+ },
+ {
+ "description": "Error Problem Events",
+ "query": "DynatraceProblems\n| where SeverityLevel == \"ERROR\"\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "Availability Problem Events",
+ "query": "DynatraceProblems\n| where SeverityLevel == \"AVAILABILITY\"\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "Performance Problem Events",
+ "query": "DynatraceProblems\n| where SeverityLevel == \"PERFORMANCE\"\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "Count Problem Events by impact level",
+ "query": "DynatraceProblems\n| summarize arg_max(StartTime, *) by ProblemId\n| summarize count() by ImpactLevel\n| take 10"
+ },
+ {
+ "description": "Count Problem Events by severity level",
+ "query": "DynatraceProblems\n| summarize arg_max(StartTime, *) by ProblemId\n| summarize count() by SeverityLevel\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read problems*** (problems.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Problem Events to Microsoft Sentinel",
+ "description": "Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition4')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition4'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition4')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections4')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DTProblems2DCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-DynatraceProblemsV2": {
+ "columns": [
+ {
+ "name": "problemId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "title",
+ "type": "string"
+ },
+ {
+ "name": "impactLevel",
+ "type": "string"
+ },
+ {
+ "name": "severityLevel",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "affectedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "impactedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "rootCauseEntity",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ },
+ {
+ "name": "entityTags",
+ "type": "dynamic"
+ },
+ {
+ "name": "problemFilters",
+ "type": "dynamic"
+ },
+ {
+ "name": "startTime",
+ "type": "long"
+ },
+ {
+ "name": "endTime",
+ "type": "long"
+ },
+ {
+ "name": "evidenceDetails",
+ "type": "dynamic"
+ },
+ {
+ "name": "recentComments",
+ "type": "dynamic"
+ },
+ {
+ "name": "impactAnalysis",
+ "type": "dynamic"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-DynatraceProblemsV2"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "let fromUnixTime = (t: long) {\ndatetime(1970-01-01) + t * 1ms\n};\nsource | extend TimeGenerated = fromUnixTime(startTime), startTimeUtc = fromUnixTime(startTime), endTimeUtc = iff(endTime == -1, datetime(null), fromUnixTime(endTime)) | project-away startTime, endTime | project-rename problemTitle = ['title']",
+ "outputStream": "Custom-DynatraceProblemsV2_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+ },
+ {
+ "name": "DynatraceProblemsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceProblemsV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "problemId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "problemTitle",
+ "type": "string"
+ },
+ {
+ "name": "impactLevel",
+ "type": "string"
+ },
+ {
+ "name": "severityLevel",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "affectedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "impactedEntities",
+ "type": "dynamic"
+ },
+ {
+ "name": "rootCauseEntity",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ },
+ {
+ "name": "entityTags",
+ "type": "dynamic"
+ },
+ {
+ "name": "problemFilters",
+ "type": "dynamic"
+ },
+ {
+ "name": "startTimeUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "endTimeUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "evidenceDetails",
+ "type": "dynamic"
+ },
+ {
+ "name": "recentComments",
+ "type": "dynamic"
+ },
+ {
+ "name": "impactAnalysis",
+ "type": "dynamic"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition4'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition4'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DynatraceProblemsCCPDefinition",
+ "title": "Dynatrace Problems V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/problems-v2) to ingest problem events into Microsoft Sentinel Log Analytics",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceProblemsV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Problem Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Problem Events",
+ "query": "DynatraceProblems\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "All Open Problem Events",
+ "query": "DynatraceProblems\n| summarize arg_max(EndTime, *) by ProblemId\n| where isnull(EndTime) or Status == \"OPEN\"\n| take 10"
+ },
+ {
+ "description": "Error Problem Events",
+ "query": "DynatraceProblems\n| where SeverityLevel == \"ERROR\"\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "Availability Problem Events",
+ "query": "DynatraceProblems\n| where SeverityLevel == \"AVAILABILITY\"\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "Performance Problem Events",
+ "query": "DynatraceProblems\n| where SeverityLevel == \"PERFORMANCE\"\n| summarize arg_max(StartTime, *) by ProblemId\n| take 10"
+ },
+ {
+ "description": "Count Problem Events by impact level",
+ "query": "DynatraceProblems\n| summarize arg_max(StartTime, *) by ProblemId\n| summarize count() by ImpactLevel\n| take 10"
+ },
+ {
+ "description": "Count Problem Events by severity level",
+ "query": "DynatraceProblems\n| summarize arg_max(StartTime, *) by ProblemId\n| summarize count() by SeverityLevel\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read problems*** (problems.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Problem Events to Microsoft Sentinel",
+ "description": "Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition4')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition4'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition4')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections4')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections4'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections4')]",
+ "displayName": "Dynatrace Problems V2",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Dynatrace Problems V2",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "dynatraceEnvironmentUrl": {
+ "defaultValue": "dynatraceEnvironmentUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "dynatraceAccessToken": {
+ "defaultValue": "dynatraceAccessToken",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections4": "[variables('_dataConnectorContentIdConnections4')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections4')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections4'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections4')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'DynatraceProblemsV2', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DynatraceProblemsCCPDefinition",
+ "dataType": "DynatraceProblemsV2_CL",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('dynatraceAccessToken')]",
+ "APIKeyIdentifier": "Api-Token",
+ "APIKeyName": "Authorization"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://',parameters('dynatraceEnvironmentUrl'),'/api/v2/problems')]",
+ "httpMethod": "Get",
+ "rateLimitQPS": 2,
+ "retryCount": 3,
+ "timeoutInSeconds": 120,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryWindowInMin": 5,
+ "startTimeAttributeName": "from",
+ "endTimeAttributeName": "to",
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/problems"
+ },
+ "queryParameters": {
+ "fields": "+evidenceDetails,+impactAnalysis"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.problems"
+ ],
+ "convertChildPropertiesToArray": true
+ },
+ "dcrConfig": {
+ "streamName": "Custom-DynatraceProblemsV2",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "pagingQueryParamOnly": true,
+ "nextPageTokenJsonPath": "$.nextPageKey",
+ "nextPageParaName": "nextPageKey"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections4'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition5'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition5')]",
+ "displayName": "Dynatrace Runtime Vulnerabilities V2",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition5'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DTRunVulnCCPDefinition",
+ "title": "Dynatrace Runtime Vulnerabilities V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceSecurityProblemsV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Vulnerabilities Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Third-Party Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"THIRD_PARTY\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Code-level Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"CODE_LEVEL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Runtime Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"RUNTIME\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Critical Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"CRITICAL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "High Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"HIGH\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Count Vulnerability Events by Technology and Vulnerability",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| summarize count() by Technology, ExternalVulnerabilityId\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Vulnerabilities Events to Microsoft Sentinel",
+ "description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition5')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition5'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition5')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections5')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DTSecProbV2DCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-DynatraceSecurityProblemsV2": {
+ "columns": [
+ {
+ "name": "securityProblemId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "muted",
+ "type": "boolean"
+ },
+ {
+ "name": "externalVulnerabilityId",
+ "type": "string"
+ },
+ {
+ "name": "vulnerabilityType",
+ "type": "string"
+ },
+ {
+ "name": "title",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "technology",
+ "type": "string"
+ },
+ {
+ "name": "firstSeenTimestamp",
+ "type": "long"
+ },
+ {
+ "name": "lastUpdatedTimestamp",
+ "type": "long"
+ },
+ {
+ "name": "lastOpenedTimestamp",
+ "type": "long"
+ },
+ {
+ "name": "riskAssessment",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ },
+ {
+ "name": "cveIds",
+ "type": "dynamic"
+ },
+ {
+ "name": "muteStateChangeInProgress",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-DynatraceSecurityProblemsV2"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "let fromUnixTime = (t: long) {\ndatetime(1970-01-01) + t * 1ms\n};\nsource | extend TimeGenerated = fromUnixTime(firstSeenTimestamp), firstSeenTimestampUtc = fromUnixTime(firstSeenTimestamp), lastUpdatedTimestampUtc = fromUnixTime(lastUpdatedTimestamp), lastOpenedTimestampUtc = iff(lastOpenedTimestamp == -1, datetime(null), fromUnixTime(lastOpenedTimestamp)) | project-away firstSeenTimestamp, lastUpdatedTimestamp, lastOpenedTimestamp | project-rename securityProblemTitle = ['title']",
+ "outputStream": "Custom-DynatraceSecurityProblemsV2_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+ },
+ {
+ "name": "DynatraceSecurityProblemsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "DynatraceSecurityProblemsV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "securityProblemId",
+ "type": "string"
+ },
+ {
+ "name": "displayId",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "muted",
+ "type": "boolean"
+ },
+ {
+ "name": "externalVulnerabilityId",
+ "type": "string"
+ },
+ {
+ "name": "vulnerabilityType",
+ "type": "string"
+ },
+ {
+ "name": "securityProblemTitle",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "technology",
+ "type": "string"
+ },
+ {
+ "name": "firstSeenTimestampUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "lastUpdatedTimestampUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "lastOpenedTimestampUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "riskAssessment",
+ "type": "dynamic"
+ },
+ {
+ "name": "managementZones",
+ "type": "dynamic"
+ },
+ {
+ "name": "cveIds",
+ "type": "dynamic"
+ },
+ {
+ "name": "muteStateChangeInProgress",
+ "type": "string"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition5'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition5'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DTRunVulnCCPDefinition",
+ "title": "Dynatrace Runtime Vulnerabilities V2",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceSecurityProblemsV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Vulnerabilities Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Third-Party Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"THIRD_PARTY\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Code-level Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"CODE_LEVEL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Runtime Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"RUNTIME\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Critical Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"CRITICAL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "High Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"HIGH\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Count Vulnerability Events by Technology and Vulnerability",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| summarize count() by Technology, ExternalVulnerabilityId\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Dynatrace Vulnerabilities Events to Microsoft Sentinel",
+ "description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "text",
+ "label": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "placeholder": "{{dynatraceEnvironmentUrl}}",
+ "name": "dynatraceEnvironmentUrl"
+ },
+ "type": "Textbox"
+ },
+ {
+ "parameters": {
+ "enable": "true",
+ "type": "password",
+ "label": "Dynatrace Access Token",
+ "placeholder": "{{dynatraceAccessToken}}",
+ "name": "dynatraceAccessToken"
+ },
+ "type": "Textbox"
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "connect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "version": "1.0.2",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition5')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition5'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition5')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections5')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections5'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections5')]",
+ "displayName": "Dynatrace Runtime Vulnerabilities V2",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Dynatrace Runtime Vulnerabilities V2",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "dynatraceEnvironmentUrl": {
+ "defaultValue": "dynatraceEnvironmentUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "dynatraceAccessToken": {
+ "defaultValue": "dynatraceAccessToken",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections5": "[variables('_dataConnectorContentIdConnections5')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections5')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections5'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections5')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'DTRunVulnV2', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DTRunVulnCCPDefinition",
+ "dataType": "DynatraceSecurityProblemsV2_CL",
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('dynatraceAccessToken')]",
+ "APIKeyIdentifier": "Api-Token",
+ "APIKeyName": "Authorization"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://',parameters('dynatraceEnvironmentUrl'),'/api/v2/securityProblems')]",
+ "httpMethod": "Get",
+ "rateLimitQPS": 2,
+ "retryCount": 3,
+ "timeoutInSeconds": 120,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryWindowInMin": 5,
+ "startTimeAttributeName": "from",
+ "endTimeAttributeName": "to",
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/securityproblems"
+ },
+ "queryParameters": {
+ "fields": "+riskAssessment,+managementZones,+codeLevelVulnerabilityDetails"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.securityProblems"
+ ],
+ "convertChildPropertiesToArray": true
+ },
+ "dcrConfig": {
+ "streamName": "Custom-DynatraceSecurityProblemsV2",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "pagingQueryParamOnly": true,
+ "nextPageTokenJsonPath": "$.nextPageKey",
+ "nextPageParaName": "nextPageKey"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections5'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Dynatrace data connector with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion6')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "APIPolling",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId6')]",
+ "title": "Dynatrace Audit Logs V1",
+ "publisher": "Dynatrace",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Audit Logs REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/audit-logs) to ingest tenant audit logs into Microsoft Sentinel Log Analytics",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueriesTableName": "DynatraceAuditLogs_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Dynatrace Audit Log Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit Log Events",
+ "query": "DynatraceAuditLogs\n| take 10"
+ },
+ {
+ "description": "User Login Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"LOGIN\"\n and Category == \"WEB_UI\"\n | take 10"
+ },
+ {
+ "description": "Access Token Creation Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"CREATE\"\n and Category == \"TOKEN\"\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "SentinelKindsV2",
+ "value": [
+ "APIPolling"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ },
+ {
+ "name": "Dynatrace Access Token",
+ "description": "You need a Dynatrace Access Token, the token should have ***Read audit logs*** (auditLogs.read) scope."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Enable Dynatrace Audit [Logging](https://docs.dynatrace.com/docs/shortlink/audit-logs#enable-audit-logging). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "instructions": [
+ {
+ "parameters": {
+ "enable": "true",
+ "userRequestPlaceHoldersInput": [
+ {
+ "displayText": "Dynatrace tenant (ex. xyz.dynatrace.com)",
+ "requestObjectKey": "apiEndpoint",
+ "placeHolderName": "{{dynatraceEnvironmentUrl}}"
+ }
+ ]
+ },
+ "type": "APIKey"
+ }
+ ],
+ "title": "Dynatrace Audit Log Events to Microsoft Sentinel"
+ }
+ ],
+ "metadata": {
+ "version": "1.0.0",
+ "kind": "dataConnector"
+ }
+ },
+ "pollingConfig": {
+ "auth": {
+ "authType": "APIKey",
+ "APIKeyIdentifier": "Api-Token",
+ "APIKeyName": "Authorization"
+ },
+ "request": {
+ "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/auditlogs",
+ "httpMethod": "Get",
+ "rateLimitQPS": 2,
+ "retryCount": 3,
+ "timeoutInSeconds": 120,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryWindowInMin": 5,
+ "startTimeAttributeName": "from",
+ "endTimeAttributeName": "to",
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/auditlogs"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "pagingQueryParamOnly": true,
+ "nextPageTokenJsonPath": "$.nextPageKey",
+ "nextPageParaName": "nextPageKey",
+ "pageSizeParaName": "pageSize",
+ "pageSize": 1000
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.auditLogs"
+ ],
+ "convertChildPropertiesToArray": true
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+ "contentId": "[variables('_dataConnectorContentId6')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Dynatrace",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId6')]",
+ "contentKind": "DataConnector",
+ "displayName": "Dynatrace Audit Logs V1",
+ "contentProductId": "[variables('_dataConnectorcontentProductId6')]",
+ "id": "[variables('_dataConnectorcontentProductId6')]",
+ "version": "[variables('dataConnectorVersion6')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId6')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+ "contentId": "[variables('_dataConnectorContentId6')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Dynatrace",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Dynatrace",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dynatrace",
+ "email": "microsoftalliances@dynatrace.com",
+ "tier": "Partner",
+ "link": "https://www.dynatrace.com/services-support/"
+ }
+ }
+ },
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "Dynatrace Runtime Vulnerabilities",
+ "id": "[variables('_uiConfigId6')]",
+ "title": "Dynatrace Audit Logs V1",
"publisher": "Dynatrace",
- "descriptionMarkdown": "This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Audit Logs REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/audit-logs) to ingest tenant audit logs into Microsoft Sentinel Log Analytics",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
- "graphQueriesTableName": "DynatraceSecurityProblems_CL",
+ "graphQueriesTableName": "DynatraceAuditLogs_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Dynatrace Vulnerabilities Events",
+ "legend": "Dynatrace Audit Log Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
- "description": "All Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "All Third-Party Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"THIRD_PARTY\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "All Code-level Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"CODE_LEVEL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "All Runtime Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"RUNTIME\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
- },
- {
- "description": "Critical Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"CRITICAL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ "description": "All Audit Log Events",
+ "query": "DynatraceAuditLogs\n| take 10"
},
{
- "description": "High Vulnerability Events",
- "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"HIGH\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ "description": "User Login Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"LOGIN\"\n and Category == \"WEB_UI\"\n | take 10"
},
{
- "description": "Count Vulnerability Events by Technology and Vulnerability",
- "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| summarize count() by Technology, ExternalVulnerabilityId\n| take 10"
+ "description": "Access Token Creation Events",
+ "query": "DynatraceAuditLogs\n| where EventType == \"CREATE\"\n and Category == \"TOKEN\"\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
- "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriteria": [
@@ -5919,17 +8828,17 @@
"customs": [
{
"name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
- "description": "You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/)."
+ "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
},
{
"name": "Dynatrace Access Token",
- "description": "You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope."
+ "description": "You need a Dynatrace Access Token, the token should have ***Read audit logs*** (auditLogs.read) scope."
}
]
},
"instructionSteps": [
{
- "description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "description": "Enable Dynatrace Audit [Logging](https://docs.dynatrace.com/docs/shortlink/audit-logs#enable-audit-logging). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
"instructions": [
{
"parameters": {
@@ -5945,7 +8854,7 @@
"type": "APIKey"
}
],
- "title": "Dynatrace Vulnerabilities Events to Microsoft Sentinel"
+ "title": "Dynatrace Audit Log Events to Microsoft Sentinel"
}
],
"metadata": {
@@ -5960,7 +8869,7 @@
"APIKeyName": "Authorization"
},
"request": {
- "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/securityProblems",
+ "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/auditlogs",
"httpMethod": "Get",
"rateLimitQPS": 2,
"retryCount": 3,
@@ -5971,10 +8880,7 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/securityproblems"
- },
- "queryParameters": {
- "fields": "+riskAssessment,+managementZones,+codeLevelVulnerabilityDetails"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/auditlogs"
}
},
"paging": {
@@ -5983,11 +8889,11 @@
"nextPageTokenJsonPath": "$.nextPageKey",
"nextPageParaName": "nextPageKey",
"pageSizeParaName": "pageSize",
- "pageSize": 10
+ "pageSize": 1000
},
"response": {
"eventsJsonPaths": [
- "$.securityProblems"
+ "$.auditLogs"
],
"convertChildPropertiesToArray": true
}
@@ -5997,29 +8903,29 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName3')]",
+ "name": "[variables('dataConnectorTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dynatrace data connector with template version 3.0.1",
+ "description": "Dynatrace data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion3')]",
+ "contentVersion": "[variables('dataConnectorVersion7')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId3')]",
- "title": "Dynatrace Problems",
+ "id": "[variables('_uiConfigId7')]",
+ "title": "Dynatrace Problems V1",
"publisher": "Dynatrace",
"descriptionMarkdown": "This connector uses the [Dynatrace Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/problems-v2) to ingest problem events into Microsoft Sentinel Log Analytics",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
@@ -6148,7 +9054,7 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/problems"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/problems"
},
"queryParameters": {
"fields": "+evidenceDetails,+impactAnalysis"
@@ -6174,12 +9080,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
- "contentId": "[variables('_dataConnectorContentId3')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+ "contentId": "[variables('_dataConnectorContentId7')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion3')]",
+ "version": "[variables('dataConnectorVersion7')]",
"source": {
"kind": "Solution",
"name": "Dynatrace",
@@ -6204,27 +9110,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId3')]",
+ "contentId": "[variables('_dataConnectorContentId7')]",
"contentKind": "DataConnector",
- "displayName": "Dynatrace Problems",
- "contentProductId": "[variables('_dataConnectorcontentProductId3')]",
- "id": "[variables('_dataConnectorcontentProductId3')]",
- "version": "[variables('dataConnectorVersion3')]"
+ "displayName": "Dynatrace Problems V1",
+ "contentProductId": "[variables('_dataConnectorcontentProductId7')]",
+ "id": "[variables('_dataConnectorcontentProductId7')]",
+ "version": "[variables('dataConnectorVersion7')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]",
"dependsOn": [
- "[variables('_dataConnectorId3')]"
+ "[variables('_dataConnectorId7')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
- "contentId": "[variables('_dataConnectorContentId3')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+ "contentId": "[variables('_dataConnectorContentId7')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion3')]",
+ "version": "[variables('dataConnectorVersion7')]",
"source": {
"kind": "Solution",
"name": "Dynatrace",
@@ -6243,15 +9149,15 @@
}
},
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId3')]",
- "title": "Dynatrace Problems",
+ "id": "[variables('_uiConfigId7')]",
+ "title": "Dynatrace Problems V1",
"publisher": "Dynatrace",
"descriptionMarkdown": "This connector uses the [Dynatrace Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/problems-v2) to ingest problem events into Microsoft Sentinel Log Analytics",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
@@ -6380,7 +9286,7 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/problems"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/problems"
},
"queryParameters": {
"fields": "+evidenceDetails,+impactAnalysis"
@@ -6406,58 +9312,74 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName4')]",
+ "name": "[variables('dataConnectorTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Dynatrace data connector with template version 3.0.1",
+ "description": "Dynatrace data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion4')]",
+ "contentVersion": "[variables('dataConnectorVersion8')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId4')]",
- "title": "Dynatrace Audit Logs",
+ "id": "[variables('_uiConfigId8')]",
+ "title": "Dynatrace Runtime Vulnerabilities V1",
"publisher": "Dynatrace",
- "descriptionMarkdown": "This connector uses the [Dynatrace Audit Logs REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/audit-logs) to ingest tenant audit logs into Microsoft Sentinel Log Analytics",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
- "graphQueriesTableName": "DynatraceAuditLogs_CL",
+ "graphQueriesTableName": "DynatraceSecurityProblems_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Dynatrace Audit Log Events",
+ "legend": "Dynatrace Vulnerabilities Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
- "description": "All Audit Log Events",
- "query": "DynatraceAuditLogs\n| take 10"
+ "description": "All Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
},
{
- "description": "User Login Events",
- "query": "DynatraceAuditLogs\n| where EventType == \"LOGIN\"\n and Category == \"WEB_UI\"\n | take 10"
+ "description": "All Third-Party Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"THIRD_PARTY\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
},
{
- "description": "Access Token Creation Events",
- "query": "DynatraceAuditLogs\n| where EventType == \"CREATE\"\n and Category == \"TOKEN\"\n | take 10"
+ "description": "All Code-level Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"CODE_LEVEL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Runtime Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"RUNTIME\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Critical Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"CRITICAL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "High Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"HIGH\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Count Vulnerability Events by Technology and Vulnerability",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| summarize count() by Technology, ExternalVulnerabilityId\n| take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
- "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
@@ -6489,17 +9411,17 @@
"customs": [
{
"name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
- "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ "description": "You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/)."
},
{
"name": "Dynatrace Access Token",
- "description": "You need a Dynatrace Access Token, the token should have ***Read audit logs*** (auditLogs.read) scope."
+ "description": "You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope."
}
]
},
"instructionSteps": [
{
- "description": "Enable Dynatrace Audit [Logging](https://docs.dynatrace.com/docs/shortlink/audit-logs#enable-audit-logging). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
"instructions": [
{
"parameters": {
@@ -6515,7 +9437,7 @@
"type": "APIKey"
}
],
- "title": "Dynatrace Audit Log Events to Microsoft Sentinel"
+ "title": "Dynatrace Vulnerabilities Events to Microsoft Sentinel"
}
],
"metadata": {
@@ -6530,7 +9452,7 @@
"APIKeyName": "Authorization"
},
"request": {
- "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/auditlogs",
+ "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/securityProblems",
"httpMethod": "Get",
"rateLimitQPS": 2,
"retryCount": 3,
@@ -6541,7 +9463,10 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/auditlogs"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/securityproblems"
+ },
+ "queryParameters": {
+ "fields": "+riskAssessment,+managementZones,+codeLevelVulnerabilityDetails"
}
},
"paging": {
@@ -6550,11 +9475,11 @@
"nextPageTokenJsonPath": "$.nextPageKey",
"nextPageParaName": "nextPageKey",
"pageSizeParaName": "pageSize",
- "pageSize": 1000
+ "pageSize": 10
},
"response": {
"eventsJsonPaths": [
- "$.auditLogs"
+ "$.securityProblems"
],
"convertChildPropertiesToArray": true
}
@@ -6564,12 +9489,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
- "contentId": "[variables('_dataConnectorContentId4')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+ "contentId": "[variables('_dataConnectorContentId8')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion4')]",
+ "version": "[variables('dataConnectorVersion8')]",
"source": {
"kind": "Solution",
"name": "Dynatrace",
@@ -6594,27 +9519,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId4')]",
+ "contentId": "[variables('_dataConnectorContentId8')]",
"contentKind": "DataConnector",
- "displayName": "Dynatrace Audit Logs",
- "contentProductId": "[variables('_dataConnectorcontentProductId4')]",
- "id": "[variables('_dataConnectorcontentProductId4')]",
- "version": "[variables('dataConnectorVersion4')]"
+ "displayName": "Dynatrace Runtime Vulnerabilities V1",
+ "contentProductId": "[variables('_dataConnectorcontentProductId8')]",
+ "id": "[variables('_dataConnectorcontentProductId8')]",
+ "version": "[variables('dataConnectorVersion8')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]",
"dependsOn": [
- "[variables('_dataConnectorId4')]"
+ "[variables('_dataConnectorId8')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
- "contentId": "[variables('_dataConnectorContentId4')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+ "contentId": "[variables('_dataConnectorContentId8')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion4')]",
+ "version": "[variables('dataConnectorVersion8')]",
"source": {
"kind": "Solution",
"name": "Dynatrace",
@@ -6633,44 +9558,60 @@
}
},
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
- "id": "[variables('_uiConfigId4')]",
- "title": "Dynatrace Audit Logs",
+ "id": "[variables('_uiConfigId8')]",
+ "title": "Dynatrace Runtime Vulnerabilities V1",
"publisher": "Dynatrace",
- "descriptionMarkdown": "This connector uses the [Dynatrace Audit Logs REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/audit-logs) to ingest tenant audit logs into Microsoft Sentinel Log Analytics",
+ "descriptionMarkdown": "This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.",
- "graphQueriesTableName": "DynatraceAuditLogs_CL",
+ "graphQueriesTableName": "DynatraceSecurityProblems_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Dynatrace Audit Log Events",
+ "legend": "Dynatrace Vulnerabilities Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
- "description": "All Audit Log Events",
- "query": "DynatraceAuditLogs\n| take 10"
+ "description": "All Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
},
{
- "description": "User Login Events",
- "query": "DynatraceAuditLogs\n| where EventType == \"LOGIN\"\n and Category == \"WEB_UI\"\n | take 10"
+ "description": "All Third-Party Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"THIRD_PARTY\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
},
{
- "description": "Access Token Creation Events",
- "query": "DynatraceAuditLogs\n| where EventType == \"CREATE\"\n and Category == \"TOKEN\"\n | take 10"
+ "description": "All Code-level Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"CODE_LEVEL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "All Runtime Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where VulnerabilityType == \"RUNTIME\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Critical Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"CRITICAL\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "High Vulnerability Events",
+ "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel == \"HIGH\"\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| take 10"
+ },
+ {
+ "description": "Count Vulnerability Events by Technology and Vulnerability",
+ "query": "DynatraceSecurityProblems\n| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n| summarize count() by Technology, ExternalVulnerabilityId\n| take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
- "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
@@ -6702,17 +9643,17 @@
"customs": [
{
"name": "Dynatrace tenant (ex. xyz.dynatrace.com)",
- "description": "You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial)."
+ "description": "You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/)."
},
{
"name": "Dynatrace Access Token",
- "description": "You need a Dynatrace Access Token, the token should have ***Read audit logs*** (auditLogs.read) scope."
+ "description": "You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope."
}
]
},
"instructionSteps": [
{
- "description": "Enable Dynatrace Audit [Logging](https://docs.dynatrace.com/docs/shortlink/audit-logs#enable-audit-logging). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
+ "description": "Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token.",
"instructions": [
{
"parameters": {
@@ -6728,7 +9669,7 @@
"type": "APIKey"
}
],
- "title": "Dynatrace Audit Log Events to Microsoft Sentinel"
+ "title": "Dynatrace Vulnerabilities Events to Microsoft Sentinel"
}
],
"metadata": {
@@ -6743,7 +9684,7 @@
"APIKeyName": "Authorization"
},
"request": {
- "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/auditlogs",
+ "apiEndpoint": "https://{{dynatraceEnvironmentUrl}}/api/v2/securityProblems",
"httpMethod": "Get",
"rateLimitQPS": 2,
"retryCount": 3,
@@ -6754,7 +9695,10 @@
"endTimeAttributeName": "to",
"headers": {
"Accept": "application/json",
- "User-Agent": "dynatrace-microsoft-sentinel/3.x/connectors/auditlogs"
+ "User-Agent": "dynatrace-microsoft-sentinel/3.0.2/connectors/securityproblems"
+ },
+ "queryParameters": {
+ "fields": "+riskAssessment,+managementZones,+codeLevelVulnerabilityDetails"
}
},
"paging": {
@@ -6763,11 +9707,11 @@
"nextPageTokenJsonPath": "$.nextPageKey",
"nextPageParaName": "nextPageKey",
"pageSizeParaName": "pageSize",
- "pageSize": 1000
+ "pageSize": 10
},
"response": {
"eventsJsonPaths": [
- "$.auditLogs"
+ "$.securityProblems"
],
"convertChildPropertiesToArray": true
}
@@ -6783,7 +9727,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceAttacks Data Parser with template version 3.0.1",
+ "description": "DynatraceAttacks Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -6792,7 +9736,7 @@
"resources": [
{
"name": "[variables('parserObject1')._parserName1]",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -6800,7 +9744,7 @@
"displayName": "Parser for DynatraceAttacks",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceAttacks",
- "query": "DynatraceAttacks_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Application Security'\n| extend Severity = 'High'\n| extend request_host_s = column_ifexists('request_host_s','')\n| project-rename\n AttackId = attackId_s,\n AttackType = attackType_s,\n DisplayId = displayId_s,\n DisplayName = displayName_s,\n State = state_s,\n TimeStamp = timestamp_d,\n url = request_url_s,\n host = request_host_s,\n sourceIp = attacker_sourceIp_s,\n managementZones = managementZones_s\n| project-away request_path_s, request_protocolDetails_http_requestMethod_s, \n request_protocolDetails_http_headers_values_s, request_protocolDetails_http_headers_truncationInfo_s,\n request_protocolDetails_http_parameters_values_s, request_protocolDetails_http_parameters_truncationInfo_s,\n entrypoint_entrypointFunction_displayName_s, entrypoint_entrypointFunction_className_s,\n entrypoint_entrypointFunction_functionName_s, entrypoint_entrypointFunction_parameterTypes_values_s,\n vulnerability_displayName_s, vulnerability_codeLocation_displayName_s,\n vulnerability_codeLocation_className_s, vulnerability_codeLocation_functionName_s,\n vulnerability_codeLocation_parameterTypes_values_s, vulnerability_codeLocation_parameterTypes_truncationInfo_truncated_b,\n vulnerability_codeLocation_returnType_s, vulnerability_codeLocation_lineNumber_d,\n entrypoint_entrypointFunction_parameterTypes_truncationInfo_truncated_b, entrypoint_entrypointFunction_returnType_s,\n entrypoint_payload_values_s, entrypoint_payload_truncationInfo_truncated_b,\n vulnerability_vulnerabilityId_s, vulnerability_vulnerableFunction_displayName_s,\n vulnerability_vulnerableFunction_className_s, vulnerability_vulnerableFunction_functionName_s,\n vulnerability_vulnerableFunction_parameterTypes_values_s, vulnerability_vulnerableFunction_parameterTypes_truncationInfo_truncated_b,\n vulnerability_vulnerableFunction_returnType_s, vulnerability_vulnerableFunctionInput_type_s,\n vulnerability_vulnerableFunctionInput_inputSegments_s\n",
+ "query": "let DynatraceAttacksV1 = view() {\n DynatraceAttacks_CL\n | extend request_host_s = column_ifexists('request_host_s', '')\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = 'High',\n AttackId = attackId_s,\n AttackType = attackType_s,\n DisplayId = displayId_s,\n DisplayName = displayName_s,\n State = state_s,\n TimeStamp = timestamp_d,\n url = request_url_s,\n host = request_host_s,\n sourceIp = attacker_sourceIp_s,\n managementZones = managementZones_s\n};\nlet DynatraceAttacksV2 = view() {\n DynatraceAttacksV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = 'High',\n AttackId = attackId,\n AttackType = attackType,\n DisplayId = displayId,\n DisplayName = displayName,\n State = state,\n TimeStamp = TimeGenerated,\n url = tostring(request['url']),\n host = tostring(request['host']),\n sourceIp = tostring(attacker['sourceIp']),\n managementZones = tostring(managementZones)\n};\nunion isfuzzy=true DynatraceAttacksV1, DynatraceAttacksV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -6850,14 +9794,14 @@
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "Parser for DynatraceAttacks",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -6865,7 +9809,7 @@
"displayName": "Parser for DynatraceAttacks",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceAttacks",
- "query": "DynatraceAttacks_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Application Security'\n| extend Severity = 'High'\n| extend request_host_s = column_ifexists('request_host_s','')\n| project-rename\n AttackId = attackId_s,\n AttackType = attackType_s,\n DisplayId = displayId_s,\n DisplayName = displayName_s,\n State = state_s,\n TimeStamp = timestamp_d,\n url = request_url_s,\n host = request_host_s,\n sourceIp = attacker_sourceIp_s,\n managementZones = managementZones_s\n| project-away request_path_s, request_protocolDetails_http_requestMethod_s, \n request_protocolDetails_http_headers_values_s, request_protocolDetails_http_headers_truncationInfo_s,\n request_protocolDetails_http_parameters_values_s, request_protocolDetails_http_parameters_truncationInfo_s,\n entrypoint_entrypointFunction_displayName_s, entrypoint_entrypointFunction_className_s,\n entrypoint_entrypointFunction_functionName_s, entrypoint_entrypointFunction_parameterTypes_values_s,\n vulnerability_displayName_s, vulnerability_codeLocation_displayName_s,\n vulnerability_codeLocation_className_s, vulnerability_codeLocation_functionName_s,\n vulnerability_codeLocation_parameterTypes_values_s, vulnerability_codeLocation_parameterTypes_truncationInfo_truncated_b,\n vulnerability_codeLocation_returnType_s, vulnerability_codeLocation_lineNumber_d,\n entrypoint_entrypointFunction_parameterTypes_truncationInfo_truncated_b, entrypoint_entrypointFunction_returnType_s,\n entrypoint_payload_values_s, entrypoint_payload_truncationInfo_truncated_b,\n vulnerability_vulnerabilityId_s, vulnerability_vulnerableFunction_displayName_s,\n vulnerability_vulnerableFunction_className_s, vulnerability_vulnerableFunction_functionName_s,\n vulnerability_vulnerableFunction_parameterTypes_values_s, vulnerability_vulnerableFunction_parameterTypes_truncationInfo_truncated_b,\n vulnerability_vulnerableFunction_returnType_s, vulnerability_vulnerableFunctionInput_type_s,\n vulnerability_vulnerableFunctionInput_inputSegments_s\n",
+ "query": "let DynatraceAttacksV1 = view() {\n DynatraceAttacks_CL\n | extend request_host_s = column_ifexists('request_host_s', '')\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = 'High',\n AttackId = attackId_s,\n AttackType = attackType_s,\n DisplayId = displayId_s,\n DisplayName = displayName_s,\n State = state_s,\n TimeStamp = timestamp_d,\n url = request_url_s,\n host = request_host_s,\n sourceIp = attacker_sourceIp_s,\n managementZones = managementZones_s\n};\nlet DynatraceAttacksV2 = view() {\n DynatraceAttacksV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = 'High',\n AttackId = attackId,\n AttackType = attackType,\n DisplayId = displayId,\n DisplayName = displayName,\n State = state,\n TimeStamp = TimeGenerated,\n url = tostring(request['url']),\n host = tostring(request['host']),\n sourceIp = tostring(attacker['sourceIp']),\n managementZones = tostring(managementZones)\n};\nunion isfuzzy=true DynatraceAttacksV1, DynatraceAttacksV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -6915,7 +9859,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceAuditLogs Data Parser with template version 3.0.1",
+ "description": "DynatraceAuditLogs Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -6924,7 +9868,7 @@
"resources": [
{
"name": "[variables('parserObject2')._parserName2]",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -6932,7 +9876,7 @@
"displayName": "Parser for DynatraceAuditLogs",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceAuditLogs",
- "query": "DynatraceAuditLogs_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Audit'\n| extend Severity = 'Informational'\n| project-rename\n LogId = logId_s,\n EnvironmentId = environmentId_s,\n EventType = eventType_s,\n UserOrigin = userOrigin_s,\n UserType = userType_s,\n User = user_s,\n Success = success_b,\n TimeStamp = timestamp_d\n| project-away entityId_s, patch_s\n",
+ "query": "let DynatraceAuditLogsV1 = view() {\n DynatraceAuditLogs_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Audit',\n Severity = 'Informational',\n LogId = logId_s,\n EnvironmentId = environmentId_s,\n EventType = eventType_s,\n Category = '',\n UserOrigin = userOrigin_s,\n UserType = userType_s,\n User = user_s,\n Success = success_b,\n TimeStamp = timestamp_d\n};\nlet DynatraceAuditLogsV2 = view() {\n DynatraceAuditLogsV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Audit',\n Severity = 'Informational',\n LogId = logId,\n EnvironmentId = environmentId,\n EventType = eventType,\n Category = category,\n UserOrigin = userOrigin,\n UserType = userType,\n User = user,\n Success = success,\n TimeStamp = TimeGenerated\n};\nunion isfuzzy=true DynatraceAuditLogsV1, DynatraceAuditLogsV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -6982,14 +9926,14 @@
"contentId": "[variables('parserObject2').parserContentId2]",
"contentKind": "Parser",
"displayName": "Parser for DynatraceAuditLogs",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '2.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '2.0.0')))]",
"version": "[variables('parserObject2').parserVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"name": "[variables('parserObject2')._parserName2]",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -6997,7 +9941,7 @@
"displayName": "Parser for DynatraceAuditLogs",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceAuditLogs",
- "query": "DynatraceAuditLogs_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Audit'\n| extend Severity = 'Informational'\n| project-rename\n LogId = logId_s,\n EnvironmentId = environmentId_s,\n EventType = eventType_s,\n UserOrigin = userOrigin_s,\n UserType = userType_s,\n User = user_s,\n Success = success_b,\n TimeStamp = timestamp_d\n| project-away entityId_s, patch_s\n",
+ "query": "let DynatraceAuditLogsV1 = view() {\n DynatraceAuditLogs_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Audit',\n Severity = 'Informational',\n LogId = logId_s,\n EnvironmentId = environmentId_s,\n EventType = eventType_s,\n Category = '',\n UserOrigin = userOrigin_s,\n UserType = userType_s,\n User = user_s,\n Success = success_b,\n TimeStamp = timestamp_d\n};\nlet DynatraceAuditLogsV2 = view() {\n DynatraceAuditLogsV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Audit',\n Severity = 'Informational',\n LogId = logId,\n EnvironmentId = environmentId,\n EventType = eventType,\n Category = category,\n UserOrigin = userOrigin,\n UserType = userType,\n User = user,\n Success = success,\n TimeStamp = TimeGenerated\n};\nunion isfuzzy=true DynatraceAuditLogsV1, DynatraceAuditLogsV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -7047,7 +9991,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceProblems Data Parser with template version 3.0.1",
+ "description": "DynatraceProblems Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -7056,7 +10000,7 @@
"resources": [
{
"name": "[variables('parserObject3')._parserName3]",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -7064,7 +10008,7 @@
"displayName": "Parser for DynatraceProblems",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceProblems",
- "query": "DynatraceProblems_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Application Monitoring'\n| extend Severity = case(severityLevel_s == 'ERROR', 'High', \n severityLevel_s == 'INFO', 'Informational', \n 'Medium')\n| project-rename\n ProblemId = problemId_s,\n AffectedEntities = affectedEntities_s ,\n ImpactedEntities = impactedEntities_s ,\n ManagementZones = managementZones_s ,\n DisplayId = displayId_s,\n EndTime = endTime_d ,\n EntityTags = entityTags_s ,\n ImpactLevel = impactLevel_s ,\n StartTime = startTime_d ,\n Status = status_s ,\n Title = title_s, \n SeverityLevel = severityLevel_s\n| project-away problemFilters_s,evidenceDetails_totalCount_d,\n evidenceDetails_details_s, impactAnalysis_impacts_s\n",
+ "query": "let DynatraceProblemsV1 = view() {\n DynatraceProblems_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Monitoring',\n Severity = case(severityLevel_s == 'ERROR', 'High',\n severityLevel_s == 'INFO', 'Informational',\n 'Medium'),\n ProblemId = problemId_s,\n AffectedEntities = affectedEntities_s,\n ImpactedEntities = impactedEntities_s,\n ManagementZones = managementZones_s,\n DisplayId = displayId_s,\n EndTime = endTime_d,\n EntityTags = entityTags_s,\n ImpactLevel = impactLevel_s,\n StartTime = startTime_d,\n Status = status_s,\n Title = title_s,\n SeverityLevel = severityLevel_s\n};\nlet DynatraceProblemsV2 = view() {\n DynatraceProblemsV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Monitoring',\n Severity = case(severityLevel == 'ERROR', 'High',\n severityLevel == 'INFO', 'Informational',\n 'Medium'),\n ProblemId = problemId,\n AffectedEntities = tostring(affectedEntities),\n ImpactedEntities = tostring(impactedEntities),\n ManagementZones = tostring(managementZones),\n DisplayId = displayId,\n EndTime = endTimeUtc,\n EntityTags = tostring(entityTags),\n ImpactLevel = impactLevel,\n StartTime = startTimeUtc,\n Status = status,\n Title = problemTitle,\n SeverityLevel = severityLevel\n};\nunion isfuzzy=true DynatraceProblemsV1, DynatraceProblemsV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -7114,14 +10058,14 @@
"contentId": "[variables('parserObject3').parserContentId3]",
"contentKind": "Parser",
"displayName": "Parser for DynatraceProblems",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '2.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '2.0.0')))]",
"version": "[variables('parserObject3').parserVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"name": "[variables('parserObject3')._parserName3]",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -7129,7 +10073,7 @@
"displayName": "Parser for DynatraceProblems",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceProblems",
- "query": "DynatraceProblems_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Application Monitoring'\n| extend Severity = case(severityLevel_s == 'ERROR', 'High', \n severityLevel_s == 'INFO', 'Informational', \n 'Medium')\n| project-rename\n ProblemId = problemId_s,\n AffectedEntities = affectedEntities_s ,\n ImpactedEntities = impactedEntities_s ,\n ManagementZones = managementZones_s ,\n DisplayId = displayId_s,\n EndTime = endTime_d ,\n EntityTags = entityTags_s ,\n ImpactLevel = impactLevel_s ,\n StartTime = startTime_d ,\n Status = status_s ,\n Title = title_s, \n SeverityLevel = severityLevel_s\n| project-away problemFilters_s,evidenceDetails_totalCount_d,\n evidenceDetails_details_s, impactAnalysis_impacts_s\n",
+ "query": "let DynatraceProblemsV1 = view() {\n DynatraceProblems_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Monitoring',\n Severity = case(severityLevel_s == 'ERROR', 'High',\n severityLevel_s == 'INFO', 'Informational',\n 'Medium'),\n ProblemId = problemId_s,\n AffectedEntities = affectedEntities_s,\n ImpactedEntities = impactedEntities_s,\n ManagementZones = managementZones_s,\n DisplayId = displayId_s,\n EndTime = endTime_d,\n EntityTags = entityTags_s,\n ImpactLevel = impactLevel_s,\n StartTime = startTime_d,\n Status = status_s,\n Title = title_s,\n SeverityLevel = severityLevel_s\n};\nlet DynatraceProblemsV2 = view() {\n DynatraceProblemsV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Monitoring',\n Severity = case(severityLevel == 'ERROR', 'High',\n severityLevel == 'INFO', 'Informational',\n 'Medium'),\n ProblemId = problemId,\n AffectedEntities = tostring(affectedEntities),\n ImpactedEntities = tostring(impactedEntities),\n ManagementZones = tostring(managementZones),\n DisplayId = displayId,\n EndTime = endTimeUtc,\n EntityTags = tostring(entityTags),\n ImpactLevel = impactLevel,\n StartTime = startTimeUtc,\n Status = status,\n Title = problemTitle,\n SeverityLevel = severityLevel\n};\nunion isfuzzy=true DynatraceProblemsV1, DynatraceProblemsV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -7179,7 +10123,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DynatraceSecurityProblems Data Parser with template version 3.0.1",
+ "description": "DynatraceSecurityProblems Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -7188,7 +10132,7 @@
"resources": [
{
"name": "[variables('parserObject4')._parserName4]",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -7196,7 +10140,7 @@
"displayName": "Parser for DynatraceSecurityProblems",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceSecurityProblems",
- "query": "DynatraceSecurityProblems_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Application Security'\n| extend Severity = case(riskAssessment_riskLevel_s == 'CRITICAL', 'High', \n riskAssessment_riskLevel_s == 'HIGH', 'Medium', \n riskAssessment_riskLevel_s == 'MEDIUM', 'Low',\n 'Informational')\n| project-rename\n SecurityProblemId = securityProblemId_s,\n CVEIds = cveIds_s,\n DisplayId = displayId_s,\n ExternalVulnerabilityId = externalVulnerabilityId_s ,\n FirstSeenTimeStamp = firstSeenTimestamp_d ,\n LastUpdatedTimeStamp = lastUpdatedTimestamp_d,\n Muted = muted_b,\n PackageName = packageName_s,\n DAVISRiskLevel = riskAssessment_riskLevel_s,\n DAVISRiskScore = riskAssessment_riskScore_d,\n DAVISRiskVector = riskAssessment_riskVector_s,\n DAVISVulnerableFunctionUsage = riskAssessment_vulnerableFunctionUsage_s ,\n DAVISExposure = riskAssessment_exposure_s,\n DAVISDataAssets = riskAssessment_dataAssets_s,\n DAVISPublicExploit = riskAssessment_publicExploit_s,\n Status = status_s,\n Technology = technology_s ,\n Title = title_s ,\n Url = url_s,\n VulnerabilityType = vulnerabilityType_s,\n ManagementZones = managementZones_s\n| project-away riskAssessment_baseRiskLevel_s, riskAssessment_baseRiskScore_d, \n riskAssessment_baseRiskVector_s,riskAssessment_assessmentAccuracy_s\n",
+ "query": "let DynatraceSecurityProblemsV1 = view() {\n DynatraceSecurityProblems_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = case(riskAssessment_riskLevel_s == 'CRITICAL', 'High',\n riskAssessment_riskLevel_s == 'HIGH', 'Medium',\n riskAssessment_riskLevel_s == 'MEDIUM', 'Low',\n 'Informational'),\n SecurityProblemId = securityProblemId_s,\n CVEIds = cveIds_s,\n DisplayId = displayId_s,\n ExternalVulnerabilityId = externalVulnerabilityId_s,\n FirstSeenTimeStamp = firstSeenTimestamp_d,\n LastUpdatedTimeStamp = lastUpdatedTimestamp_d,\n LastOpenedTimeStamp = lastOpenedTimestamp_d,\n Muted = muted_b,\n PackageName = packageName_s,\n DAVISRiskLevel = riskAssessment_riskLevel_s,\n DAVISRiskScore = riskAssessment_riskScore_d,\n DAVISRiskVector = riskAssessment_riskVector_s,\n DAVISVulnerableFunctionUsage = riskAssessment_vulnerableFunctionUsage_s,\n DAVISExposure = riskAssessment_exposure_s,\n DAVISDataAssets = riskAssessment_dataAssets_s,\n DAVISPublicExploit = riskAssessment_publicExploit_s,\n Status = status_s,\n Technology = technology_s,\n Title = title_s,\n Url = url_s,\n VulnerabilityType = vulnerabilityType_s,\n ManagementZones = managementZones_s\n};\nlet DynatraceSecurityProblemsV2 = view() {\n DynatraceSecurityProblemsV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = case(tostring(riskAssessment['riskLevel']) == 'CRITICAL', 'High',\n tostring(riskAssessment['riskLevel']) == 'HIGH', 'Medium',\n tostring(riskAssessment['riskLevel']) == 'MEDIUM', 'Low',\n 'Informational'),\n SecurityProblemId = securityProblemId,\n CVEIds = tostring(cveIds),\n DisplayId = displayId,\n ExternalVulnerabilityId = externalVulnerabilityId,\n FirstSeenTimeStamp = firstSeenTimestampUtc,\n LastUpdatedTimeStamp = lastUpdatedTimestampUtc,\n LastOpenedTimeStamp = lastOpenedTimestampUtc,\n Muted = muted,\n PackageName = '',\n DAVISRiskLevel = tostring(riskAssessment['riskLevel']),\n DAVISRiskScore = toreal(riskAssessment['riskScore']),\n DAVISRiskVector = tostring(riskAssessment['riskVector']),\n DAVISVulnerableFunctionUsage = tostring(riskAssessment['vulnerableFunctionUsage']),\n DAVISExposure = tostring(riskAssessment['exposure']),\n DAVISDataAssets = tostring(riskAssessment['dataAssets']),\n DAVISPublicExploit = tostring(riskAssessment['publicExploit']),\n Status = status,\n Technology = technology,\n Title = securityProblemTitle,\n Url = url,\n VulnerabilityType = vulnerabilityType,\n ManagementZones = tostring(managementZones)\n};\nunion isfuzzy=true DynatraceSecurityProblemsV1, DynatraceSecurityProblemsV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -7246,14 +10190,14 @@
"contentId": "[variables('parserObject4').parserContentId4]",
"contentKind": "Parser",
"displayName": "Parser for DynatraceSecurityProblems",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '2.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '2.0.0')))]",
"version": "[variables('parserObject4').parserVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
+ "apiVersion": "2025-07-01",
"name": "[variables('parserObject4')._parserName4]",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -7261,7 +10205,7 @@
"displayName": "Parser for DynatraceSecurityProblems",
"category": "Microsoft Sentinel Parser",
"functionAlias": "DynatraceSecurityProblems",
- "query": "DynatraceSecurityProblems_CL\n| extend EventVendor = 'Dynatrace'\n| extend EventProduct = 'Application Security'\n| extend Severity = case(riskAssessment_riskLevel_s == 'CRITICAL', 'High', \n riskAssessment_riskLevel_s == 'HIGH', 'Medium', \n riskAssessment_riskLevel_s == 'MEDIUM', 'Low',\n 'Informational')\n| project-rename\n SecurityProblemId = securityProblemId_s,\n CVEIds = cveIds_s,\n DisplayId = displayId_s,\n ExternalVulnerabilityId = externalVulnerabilityId_s ,\n FirstSeenTimeStamp = firstSeenTimestamp_d ,\n LastUpdatedTimeStamp = lastUpdatedTimestamp_d,\n Muted = muted_b,\n PackageName = packageName_s,\n DAVISRiskLevel = riskAssessment_riskLevel_s,\n DAVISRiskScore = riskAssessment_riskScore_d,\n DAVISRiskVector = riskAssessment_riskVector_s,\n DAVISVulnerableFunctionUsage = riskAssessment_vulnerableFunctionUsage_s ,\n DAVISExposure = riskAssessment_exposure_s,\n DAVISDataAssets = riskAssessment_dataAssets_s,\n DAVISPublicExploit = riskAssessment_publicExploit_s,\n Status = status_s,\n Technology = technology_s ,\n Title = title_s ,\n Url = url_s,\n VulnerabilityType = vulnerabilityType_s,\n ManagementZones = managementZones_s\n| project-away riskAssessment_baseRiskLevel_s, riskAssessment_baseRiskScore_d, \n riskAssessment_baseRiskVector_s,riskAssessment_assessmentAccuracy_s\n",
+ "query": "let DynatraceSecurityProblemsV1 = view() {\n DynatraceSecurityProblems_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = case(riskAssessment_riskLevel_s == 'CRITICAL', 'High',\n riskAssessment_riskLevel_s == 'HIGH', 'Medium',\n riskAssessment_riskLevel_s == 'MEDIUM', 'Low',\n 'Informational'),\n SecurityProblemId = securityProblemId_s,\n CVEIds = cveIds_s,\n DisplayId = displayId_s,\n ExternalVulnerabilityId = externalVulnerabilityId_s,\n FirstSeenTimeStamp = firstSeenTimestamp_d,\n LastUpdatedTimeStamp = lastUpdatedTimestamp_d,\n LastOpenedTimeStamp = lastOpenedTimestamp_d,\n Muted = muted_b,\n PackageName = packageName_s,\n DAVISRiskLevel = riskAssessment_riskLevel_s,\n DAVISRiskScore = riskAssessment_riskScore_d,\n DAVISRiskVector = riskAssessment_riskVector_s,\n DAVISVulnerableFunctionUsage = riskAssessment_vulnerableFunctionUsage_s,\n DAVISExposure = riskAssessment_exposure_s,\n DAVISDataAssets = riskAssessment_dataAssets_s,\n DAVISPublicExploit = riskAssessment_publicExploit_s,\n Status = status_s,\n Technology = technology_s,\n Title = title_s,\n Url = url_s,\n VulnerabilityType = vulnerabilityType_s,\n ManagementZones = managementZones_s\n};\nlet DynatraceSecurityProblemsV2 = view() {\n DynatraceSecurityProblemsV2_CL\n | project\n TimeGenerated,\n EventVendor = 'Dynatrace',\n EventProduct = 'Application Security',\n Severity = case(tostring(riskAssessment['riskLevel']) == 'CRITICAL', 'High',\n tostring(riskAssessment['riskLevel']) == 'HIGH', 'Medium',\n tostring(riskAssessment['riskLevel']) == 'MEDIUM', 'Low',\n 'Informational'),\n SecurityProblemId = securityProblemId,\n CVEIds = tostring(cveIds),\n DisplayId = displayId,\n ExternalVulnerabilityId = externalVulnerabilityId,\n FirstSeenTimeStamp = firstSeenTimestampUtc,\n LastUpdatedTimeStamp = lastUpdatedTimestampUtc,\n LastOpenedTimeStamp = lastOpenedTimestampUtc,\n Muted = muted,\n PackageName = '',\n DAVISRiskLevel = tostring(riskAssessment['riskLevel']),\n DAVISRiskScore = toreal(riskAssessment['riskScore']),\n DAVISRiskVector = tostring(riskAssessment['riskVector']),\n DAVISVulnerableFunctionUsage = tostring(riskAssessment['vulnerableFunctionUsage']),\n DAVISExposure = tostring(riskAssessment['exposure']),\n DAVISDataAssets = tostring(riskAssessment['dataAssets']),\n DAVISPublicExploit = tostring(riskAssessment['publicExploit']),\n Status = status,\n Technology = technology,\n Title = securityProblemTitle,\n Url = url,\n VulnerabilityType = vulnerabilityType,\n ManagementZones = tostring(managementZones)\n};\nunion isfuzzy=true DynatraceSecurityProblemsV1, DynatraceSecurityProblemsV2\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -7307,12 +10251,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Dynatrace",
"publisherDisplayName": "Dynatrace",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nDynatrace is a leading observability platform that provides automatic and intelligent observability at scale for cloud-native and enterprise workloads; with Dynatrace Application Security, your DevSecOps teams can resolve security issues faster, accelerating software delivery.\nIntegrating Dynatrace with Microsoft Sentinel enables DevSecOps teams to detect, prioritize, triage, and remediate attacks rapidly. DevSecOps teams benefit from the high-accuracy threat signals Dynatrace surfaces. It helps them avoid time-consuming investigation activities, freeing them up for more critical tasks.\nMicrosoft Sentinel data connectors poll Dynatrace for new attacks, vulnerabilities, audit logs, and problem events.
\nIncluded data connectors:
\nLearn More about Dynatrace | Dynatrace Docs
\nData Connectors: 4, Parsers: 4, Workbooks: 1, Analytic Rules: 5, Playbooks: 6
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nDynatrace is a leading observability platform that provides automatic and intelligent observability at scale for cloud-native and enterprise workloads; with Dynatrace Application Security, your DevSecOps teams can resolve security issues faster, accelerating software delivery.\nIntegrating Dynatrace with Microsoft Sentinel enables DevSecOps teams to detect, prioritize, triage, and remediate attacks rapidly. DevSecOps teams benefit from the high-accuracy threat signals Dynatrace surfaces. It helps them avoid time-consuming investigation activities, freeing them up for more critical tasks.\nMicrosoft Sentinel data connectors poll Dynatrace for new attacks, vulnerabilities, audit logs, and problem events.
\nIncluded data connectors:
\nLearn More about Dynatrace | Dynatrace Docs
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nData Connectors: 8, Parsers: 4, Workbooks: 1, Analytic Rules: 5, Playbooks: 6
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7404,18 +10348,38 @@ }, { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections4')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections5')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId6')]", + "version": "[variables('dataConnectorVersion6')]" }, { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId3')]", - "version": "[variables('dataConnectorVersion3')]" + "contentId": "[variables('_dataConnectorContentId7')]", + "version": "[variables('dataConnectorVersion7')]" }, { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId4')]", - "version": "[variables('dataConnectorVersion4')]" + "contentId": "[variables('_dataConnectorContentId8')]", + "version": "[variables('dataConnectorVersion8')]" }, { "kind": "Parser", diff --git a/Solutions/Dynatrace/Package/testParameters.json b/Solutions/Dynatrace/Package/testParameters.json index 6057c2c780b..f453f4a8ef9 100644 --- a/Solutions/Dynatrace/Package/testParameters.json +++ b/Solutions/Dynatrace/Package/testParameters.json @@ -28,5 +28,19 @@ "metadata": { "description": "Name for the workbook" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } } diff --git a/Solutions/Dynatrace/Parsers/DynatraceAttacks.yaml b/Solutions/Dynatrace/Parsers/DynatraceAttacks.yaml index b76b0d5353c..d57fc82d7ff 100644 --- a/Solutions/Dynatrace/Parsers/DynatraceAttacks.yaml +++ b/Solutions/Dynatrace/Parsers/DynatraceAttacks.yaml @@ -1,41 +1,47 @@ id: fc6d1ab7-a088-4b9e-8ea1-b95584172c33 Function: Title: Parser for DynatraceAttacks - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '2.0.0' + LastUpdated: '2026-04-02' Category: Microsoft Sentinel Parser FunctionName: DynatraceAttacks FunctionAlias: DynatraceAttacks FunctionQuery: | - DynatraceAttacks_CL - | extend EventVendor = 'Dynatrace' - | extend EventProduct = 'Application Security' - | extend Severity = 'High' - | extend request_host_s = column_ifexists('request_host_s','') - | project-rename - AttackId = attackId_s, - AttackType = attackType_s, - DisplayId = displayId_s, - DisplayName = displayName_s, - State = state_s, - TimeStamp = timestamp_d, - url = request_url_s, - host = request_host_s, - sourceIp = attacker_sourceIp_s, - managementZones = managementZones_s - | project-away request_path_s, request_protocolDetails_http_requestMethod_s, - request_protocolDetails_http_headers_values_s, request_protocolDetails_http_headers_truncationInfo_s, - request_protocolDetails_http_parameters_values_s, request_protocolDetails_http_parameters_truncationInfo_s, - entrypoint_entrypointFunction_displayName_s, entrypoint_entrypointFunction_className_s, - entrypoint_entrypointFunction_functionName_s, entrypoint_entrypointFunction_parameterTypes_values_s, - vulnerability_displayName_s, vulnerability_codeLocation_displayName_s, - vulnerability_codeLocation_className_s, vulnerability_codeLocation_functionName_s, - vulnerability_codeLocation_parameterTypes_values_s, vulnerability_codeLocation_parameterTypes_truncationInfo_truncated_b, - vulnerability_codeLocation_returnType_s, vulnerability_codeLocation_lineNumber_d, - entrypoint_entrypointFunction_parameterTypes_truncationInfo_truncated_b, entrypoint_entrypointFunction_returnType_s, - entrypoint_payload_values_s, entrypoint_payload_truncationInfo_truncated_b, - vulnerability_vulnerabilityId_s, vulnerability_vulnerableFunction_displayName_s, - vulnerability_vulnerableFunction_className_s, vulnerability_vulnerableFunction_functionName_s, - vulnerability_vulnerableFunction_parameterTypes_values_s, vulnerability_vulnerableFunction_parameterTypes_truncationInfo_truncated_b, - vulnerability_vulnerableFunction_returnType_s, vulnerability_vulnerableFunctionInput_type_s, - vulnerability_vulnerableFunctionInput_inputSegments_s \ No newline at end of file + let DynatraceAttacksV1 = view() { + DynatraceAttacks_CL + | extend request_host_s = column_ifexists('request_host_s', '') + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Application Security', + Severity = 'High', + AttackId = attackId_s, + AttackType = attackType_s, + DisplayId = displayId_s, + DisplayName = displayName_s, + State = state_s, + TimeStamp = timestamp_d, + url = request_url_s, + host = request_host_s, + sourceIp = attacker_sourceIp_s, + managementZones = managementZones_s + }; + let DynatraceAttacksV2 = view() { + DynatraceAttacksV2_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Application Security', + Severity = 'High', + AttackId = attackId, + AttackType = attackType, + DisplayId = displayId, + DisplayName = displayName, + State = state, + TimeStamp = TimeGenerated, + url = tostring(request['url']), + host = tostring(request['host']), + sourceIp = tostring(attacker['sourceIp']), + managementZones = tostring(managementZones) + }; + union isfuzzy=true DynatraceAttacksV1, DynatraceAttacksV2 diff --git a/Solutions/Dynatrace/Parsers/DynatraceAuditLogs.yaml b/Solutions/Dynatrace/Parsers/DynatraceAuditLogs.yaml index 8d154e7e027..f7dc2f3547d 100644 --- a/Solutions/Dynatrace/Parsers/DynatraceAuditLogs.yaml +++ b/Solutions/Dynatrace/Parsers/DynatraceAuditLogs.yaml @@ -1,23 +1,44 @@ id: b157a58b-39ce-44c2-8a2f-7f2a8eff104a Function: Title: Parser for DynatraceAuditLogs - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '2.0.0' + LastUpdated: '2026-04-02' Category: Microsoft Sentinel Parser FunctionName: DynatraceAuditLogs FunctionAlias: DynatraceAuditLogs FunctionQuery: | - DynatraceAuditLogs_CL - | extend EventVendor = 'Dynatrace' - | extend EventProduct = 'Audit' - | extend Severity = 'Informational' - | project-rename - LogId = logId_s, - EnvironmentId = environmentId_s, - EventType = eventType_s, - UserOrigin = userOrigin_s, - UserType = userType_s, - User = user_s, - Success = success_b, - TimeStamp = timestamp_d - | project-away entityId_s, patch_s \ No newline at end of file + let DynatraceAuditLogsV1 = view() { + DynatraceAuditLogs_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Audit', + Severity = 'Informational', + LogId = logId_s, + EnvironmentId = environmentId_s, + EventType = eventType_s, + Category = '', + UserOrigin = userOrigin_s, + UserType = userType_s, + User = user_s, + Success = success_b, + TimeStamp = timestamp_d + }; + let DynatraceAuditLogsV2 = view() { + DynatraceAuditLogsV2_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Audit', + Severity = 'Informational', + LogId = logId, + EnvironmentId = environmentId, + EventType = eventType, + Category = category, + UserOrigin = userOrigin, + UserType = userType, + User = user, + Success = success, + TimeStamp = TimeGenerated + }; + union isfuzzy=true DynatraceAuditLogsV1, DynatraceAuditLogsV2 diff --git a/Solutions/Dynatrace/Parsers/DynatraceProblems.yaml b/Solutions/Dynatrace/Parsers/DynatraceProblems.yaml index 842a111d97f..88294ffe0fe 100644 --- a/Solutions/Dynatrace/Parsers/DynatraceProblems.yaml +++ b/Solutions/Dynatrace/Parsers/DynatraceProblems.yaml @@ -1,30 +1,54 @@ id: ca4646fe-4278-4dcb-9be7-f0e2d53bbaa1 Function: Title: Parser for DynatraceProblems - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '2.0.0' + LastUpdated: '2026-04-02' Category: Microsoft Sentinel Parser FunctionName: DynatraceProblems FunctionAlias: DynatraceProblems FunctionQuery: | - DynatraceProblems_CL - | extend EventVendor = 'Dynatrace' - | extend EventProduct = 'Application Monitoring' - | extend Severity = case(severityLevel_s == 'ERROR', 'High', - severityLevel_s == 'INFO', 'Informational', - 'Medium') - | project-rename - ProblemId = problemId_s, - AffectedEntities = affectedEntities_s , - ImpactedEntities = impactedEntities_s , - ManagementZones = managementZones_s , - DisplayId = displayId_s, - EndTime = endTime_d , - EntityTags = entityTags_s , - ImpactLevel = impactLevel_s , - StartTime = startTime_d , - Status = status_s , - Title = title_s, - SeverityLevel = severityLevel_s - | project-away problemFilters_s,evidenceDetails_totalCount_d, - evidenceDetails_details_s, impactAnalysis_impacts_s \ No newline at end of file + let DynatraceProblemsV1 = view() { + DynatraceProblems_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Application Monitoring', + Severity = case(severityLevel_s == 'ERROR', 'High', + severityLevel_s == 'INFO', 'Informational', + 'Medium'), + ProblemId = problemId_s, + AffectedEntities = affectedEntities_s, + ImpactedEntities = impactedEntities_s, + ManagementZones = managementZones_s, + DisplayId = displayId_s, + EndTime = endTime_d, + EntityTags = entityTags_s, + ImpactLevel = impactLevel_s, + StartTime = startTime_d, + Status = status_s, + Title = title_s, + SeverityLevel = severityLevel_s + }; + let DynatraceProblemsV2 = view() { + DynatraceProblemsV2_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Application Monitoring', + Severity = case(severityLevel == 'ERROR', 'High', + severityLevel == 'INFO', 'Informational', + 'Medium'), + ProblemId = problemId, + AffectedEntities = tostring(affectedEntities), + ImpactedEntities = tostring(impactedEntities), + ManagementZones = tostring(managementZones), + DisplayId = displayId, + EndTime = endTimeUtc, + EntityTags = tostring(entityTags), + ImpactLevel = impactLevel, + StartTime = startTimeUtc, + Status = status, + Title = problemTitle, + SeverityLevel = severityLevel + }; + union isfuzzy=true DynatraceProblemsV1, DynatraceProblemsV2 diff --git a/Solutions/Dynatrace/Parsers/DynatraceSecurityProblems.yaml b/Solutions/Dynatrace/Parsers/DynatraceSecurityProblems.yaml index 7a632bae44d..65f0617b8da 100644 --- a/Solutions/Dynatrace/Parsers/DynatraceSecurityProblems.yaml +++ b/Solutions/Dynatrace/Parsers/DynatraceSecurityProblems.yaml @@ -1,40 +1,76 @@ id: 09c9ae71-329c-4343-815d-b755206d9f32 Function: Title: Parser for DynatraceSecurityProblems - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '2.0.0' + LastUpdated: '2026-04-02' Category: Microsoft Sentinel Parser FunctionName: DynatraceSecurityProblems FunctionAlias: DynatraceSecurityProblems FunctionQuery: | - DynatraceSecurityProblems_CL - | extend EventVendor = 'Dynatrace' - | extend EventProduct = 'Application Security' - | extend Severity = case(riskAssessment_riskLevel_s == 'CRITICAL', 'High', - riskAssessment_riskLevel_s == 'HIGH', 'Medium', + let DynatraceSecurityProblemsV1 = view() { + DynatraceSecurityProblems_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Application Security', + Severity = case(riskAssessment_riskLevel_s == 'CRITICAL', 'High', + riskAssessment_riskLevel_s == 'HIGH', 'Medium', riskAssessment_riskLevel_s == 'MEDIUM', 'Low', - 'Informational') - | project-rename - SecurityProblemId = securityProblemId_s, - CVEIds = cveIds_s, - DisplayId = displayId_s, - ExternalVulnerabilityId = externalVulnerabilityId_s , - FirstSeenTimeStamp = firstSeenTimestamp_d , - LastUpdatedTimeStamp = lastUpdatedTimestamp_d, - Muted = muted_b, - PackageName = packageName_s, - DAVISRiskLevel = riskAssessment_riskLevel_s, - DAVISRiskScore = riskAssessment_riskScore_d, - DAVISRiskVector = riskAssessment_riskVector_s, - DAVISVulnerableFunctionUsage = riskAssessment_vulnerableFunctionUsage_s , - DAVISExposure = riskAssessment_exposure_s, - DAVISDataAssets = riskAssessment_dataAssets_s, - DAVISPublicExploit = riskAssessment_publicExploit_s, - Status = status_s, - Technology = technology_s , - Title = title_s , - Url = url_s, - VulnerabilityType = vulnerabilityType_s, - ManagementZones = managementZones_s - | project-away riskAssessment_baseRiskLevel_s, riskAssessment_baseRiskScore_d, - riskAssessment_baseRiskVector_s,riskAssessment_assessmentAccuracy_s \ No newline at end of file + 'Informational'), + SecurityProblemId = securityProblemId_s, + CVEIds = cveIds_s, + DisplayId = displayId_s, + ExternalVulnerabilityId = externalVulnerabilityId_s, + FirstSeenTimeStamp = firstSeenTimestamp_d, + LastUpdatedTimeStamp = lastUpdatedTimestamp_d, + LastOpenedTimeStamp = lastOpenedTimestamp_d, + Muted = muted_b, + PackageName = packageName_s, + DAVISRiskLevel = riskAssessment_riskLevel_s, + DAVISRiskScore = riskAssessment_riskScore_d, + DAVISRiskVector = riskAssessment_riskVector_s, + DAVISVulnerableFunctionUsage = riskAssessment_vulnerableFunctionUsage_s, + DAVISExposure = riskAssessment_exposure_s, + DAVISDataAssets = riskAssessment_dataAssets_s, + DAVISPublicExploit = riskAssessment_publicExploit_s, + Status = status_s, + Technology = technology_s, + Title = title_s, + Url = url_s, + VulnerabilityType = vulnerabilityType_s, + ManagementZones = managementZones_s + }; + let DynatraceSecurityProblemsV2 = view() { + DynatraceSecurityProblemsV2_CL + | project + TimeGenerated, + EventVendor = 'Dynatrace', + EventProduct = 'Application Security', + Severity = case(tostring(riskAssessment['riskLevel']) == 'CRITICAL', 'High', + tostring(riskAssessment['riskLevel']) == 'HIGH', 'Medium', + tostring(riskAssessment['riskLevel']) == 'MEDIUM', 'Low', + 'Informational'), + SecurityProblemId = securityProblemId, + CVEIds = tostring(cveIds), + DisplayId = displayId, + ExternalVulnerabilityId = externalVulnerabilityId, + FirstSeenTimeStamp = firstSeenTimestampUtc, + LastUpdatedTimeStamp = lastUpdatedTimestampUtc, + LastOpenedTimeStamp = lastOpenedTimestampUtc, + Muted = muted, + PackageName = '', + DAVISRiskLevel = tostring(riskAssessment['riskLevel']), + DAVISRiskScore = toreal(riskAssessment['riskScore']), + DAVISRiskVector = tostring(riskAssessment['riskVector']), + DAVISVulnerableFunctionUsage = tostring(riskAssessment['vulnerableFunctionUsage']), + DAVISExposure = tostring(riskAssessment['exposure']), + DAVISDataAssets = tostring(riskAssessment['dataAssets']), + DAVISPublicExploit = tostring(riskAssessment['publicExploit']), + Status = status, + Technology = technology, + Title = securityProblemTitle, + Url = url, + VulnerabilityType = vulnerabilityType, + ManagementZones = tostring(managementZones) + }; + union isfuzzy=true DynatraceSecurityProblemsV1, DynatraceSecurityProblemsV2 diff --git a/Solutions/Dynatrace/ReleaseNotes.md b/Solutions/Dynatrace/ReleaseNotes.md index 5fe0d630b24..34c17a1ce28 100644 --- a/Solutions/Dynatrace/ReleaseNotes.md +++ b/Solutions/Dynatrace/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.2 | 03-05-2024 | Repackaged for parser issue fix on reinstall | +| 3.0.2 | 02-04-2026 | Added DCR based connectors | | 3.0.1 | 18-01-2024 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR, | | | | Updated user-agent strings used when calling Dynatrace REST API's, | | | | Added new Entity Mappings to **Analytic Rules** |