From 0934dab3e8fe9c600f9ac7b1a0f69208f2567415 Mon Sep 17 00:00:00 2001 From: Srikar Shastry Date: Tue, 7 Apr 2026 14:13:28 -0500 Subject: [PATCH 1/2] [AtlassianConfluenceAuditConnector] - update streamDeclarations in DCR --- .../AtlassianConfluenceAudit_DCR.json | 158 ++++---- ...nfluenceAudit_DataConnectorDefinition.json | 259 +++++++------ ...tlassianConfluenceAudit_PollingConfig.json | 88 ++--- .../AtlassianConfluenceAudit_table.json | 358 ++++++++---------- .../Solution_AtlassianConfluenceAudit.json | 4 +- .../Package/3.0.7.zip | Bin 0 -> 9177 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 258 ++++++------- .../AtlassianConfluenceAudit/ReleaseNotes.md | 1 + 9 files changed, 552 insertions(+), 576 deletions(-) create mode 100644 Solutions/AtlassianConfluenceAudit/Package/3.0.7.zip diff --git a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DCR.json b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DCR.json index d67ce808961..e6a737c608a 100644 --- a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DCR.json +++ b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DCR.json @@ -1,83 +1,79 @@ { - "name": "AtlassianConfluenceDCR", - "apiVersion": "2023-03-11", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "{{location}}", - "kind": null, - "properties": { - "streamDeclarations": { - "Custom-ConfluenceAuditLogs": { - "columns": [ - { - "name": "author", - "type": "dynamic" - }, - { - "name": "remoteAddress", - "type": "string" - }, - { - "name": "creationDate", - "type": "long" - }, - { - "name": "summary", - "type": "string" - }, - { - "name": "description", - "type": "string" - }, - { - "name": "category", - "type": "string" - }, - { - "name": "sysAdmin", - "type": "boolean" - }, - { - "name": "superAdmin", - "type": "boolean" - }, - { - "name": "affectedObject", - "type": "dynamic" - }, - { - "name": "changedValues", - "type": "dynamic" - }, - { - "name": "associatedObjects", - "type": "dynamic" - } - ] - } - }, - "dataSources": { - - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-ConfluenceAuditLogs" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source\r| extend\r TimeGenerated = now(),\r EventVendor=\"Atlassian\",\r EventProduct=\"Confluence Audit\",\r AuthorUsername=tostring(author.username), \r AuthorDisplayName=tostring(author.displayName),\r AuthorType=tostring(author.type),\r AuthorAccountId=tostring(author.accountId),\r AuthorUserKey=tostring(author.userKey),\r AuthorPublicName=tostring(author.publicName),\r AuthorAccountType=tostring(author.accountType),\r AuthorIsExternalCollaborator=tobool(author.isExternalCollaborator),\r AuthorExternalCollaborator=tobool(author.externalCollaborator),\r AffectedObjectName=tostring(affectedObject.name),\r AffectedObjectObjectType=tostring(affectedObject.type),\r UserIdentity=tostring(author.accountId),\r SrcUserName=tostring(author.displayName),\r DstUserSid=tostring(author.userKey)\r| project\r TimeGenerated,\r EventVendor,\r EventProduct,\r AuthorUsername,\r AuthorAccountId,\r AuthorType,\r AuthorDisplayName,\r AuthorIsExternalCollaborator,\r AuthorUserKey,\r AuthorAccountType,\r AuthorPublicName,\r AuthorExternalCollaborator,\r RemoteAddress=remoteAddress,\r CreationDate=creationDate,\r Summary=summary,\r Description=description,\r Category=category,\r SysAdmin=sysAdmin,\r SuperAdmin=superAdmin,\r AffectedObjectName,\r AffectedObjectObjectType,\r ChangedValues=changedValues,\r AssociatedObjects=associatedObjects,\r UserIdentity,\r SrcUserName,\r DstUserSid,\r SrcIpAddr=remoteAddress,\r EventCreationTime=creationDate,\r EventMessage=summary,\r EventCategoryType=category", - "outputStream": "Custom-ConfluenceAuditLogs_CL" - } + "name": "AtlassianConfluenceDCR", + "apiVersion": "2023-03-11", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "streamDeclarations": { + "Custom-ConfluenceAuditLogs_CL": { + "columns": [ + { + "name": "remoteAddress", + "type": "string" + }, + { + "name": "creationDate", + "type": "long" + }, + { + "name": "summary", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "sysAdmin", + "type": "boolean" + }, + { + "name": "superAdmin", + "type": "boolean" + }, + { + "name": "changedValues", + "type": "dynamic" + }, + { + "name": "associatedObjects", + "type": "dynamic" + }, + { + "name": "author", + "type": "dynamic" + }, + { + "name": "affectedObject", + "type": "dynamic" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-ConfluenceAuditLogs_CL" ], - "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" - } -} + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-ConfluenceAuditLogs_CL", + "transformKql": "source | extend TimeGenerated = iff(isnull(creationDate), now(), datetime(1970-01-01) + (creationDate * 1ms)) , EventVendor = \"Atlassian\" , EventProduct = \"Confluence Audit\" , AuthorUsername = tostring(author.username) , AuthorAccountId = tostring(author.accountId) , AuthorType = tostring(author.type) , AuthorDisplayName = tostring(author.displayName) , AuthorIsExternalCollaborator = tobool(author.isExternalCollaborator) , AuthorUserKey = tostring(author.userKey) , AuthorAccountType = tostring(author.accountType) , AuthorPublicName = tostring(author.publicName) , AuthorExternalCollaborator = tobool(author.externalCollaborator) , RemoteAddress = ['remoteAddress'] , CreationDate = ['creationDate'] , Summary = ['summary'] , Description = ['description'] , Category = ['category'] , SysAdmin = ['sysAdmin'] , SuperAdmin = ['superAdmin'] , AffectedObjectName = tostring(affectedObject.name) , AffectedObjectObjectType = tostring(affectedObject.objectType) , ChangedValues = ['changedValues'] , AssociatedObjects = ['associatedObjects'] , UserIdentity = tostring(author.accountId) , SrcUserName = tostring(author.displayName) , DstUserSid = tostring(author.userKey) , SrcIpAddr = tostring(remoteAddress) , EventCreationTime = tolong(creationDate) , EventMessage = tostring(summary) , EventCategoryType = tostring(affectedObject.objectType) | project TimeGenerated , EventVendor , EventProduct , AuthorUsername , AuthorAccountId , AuthorType , AuthorDisplayName , AuthorIsExternalCollaborator , AuthorUserKey , AuthorAccountType , AuthorPublicName , AuthorExternalCollaborator , RemoteAddress , CreationDate , Summary , Description , Category , SysAdmin , SuperAdmin , AffectedObjectName , AffectedObjectObjectType , ChangedValues , AssociatedObjects , UserIdentity , SrcUserName , DstUserSid , SrcIpAddr , EventCreationTime , EventMessage , EventCategoryType" + } + ] + } +} \ No newline at end of file diff --git a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DataConnectorDefinition.json b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DataConnectorDefinition.json index 4fe131b7b8c..170098bc75a 100644 --- a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DataConnectorDefinition.json +++ b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_DataConnectorDefinition.json @@ -1,133 +1,144 @@ { - "name": "ConfluenceAuditCCPDefinition", - "apiVersion": "2025-03-01", - "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", - "location": "{{location}}", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "ConfluenceAuditCCPDefinition", - "title": " Atlassian Confluence Audit (via Codeless Connector Framework)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [Atlassian Confluence](https://www.atlassian.com/software/confluence) Audit data connector provides the capability to ingest [Confluence Audit Records](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "graphQueriesTableName": "ConfluenceAuditLogs_CL", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Confluence Audit Events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "All Atlassian Confluence Audit logs", - "query": "{{graphQueriesTableName}}\n| sort by TimeGenerated desc" - }, - { - "description": "Total Events", - "query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } + "name": "AtlassianConfluenceConnector", + "apiVersion": "2025-03-01", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "AtlassianConfluenceConnector", + "title": "Atlassian Confluence Audit (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Atlassian Confluence](https://www.atlassian.com/software/confluence) Audit data connector provides the capability to ingest [Confluence Audit Records](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "graphQueriesTableName": "ConfluenceAuditLogs_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Confluence Audit Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All Atlassian Confluence Audit logs", + "query": "{{graphQueriesTableName}}\n| sort by TimeGenerated desc" + }, + { + "description": "Events by Category", + "query": "{{graphQueriesTableName}}\n | summarize count() by Category" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}} | summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "Atlassian Confluence API access", + "description": "Permission of [Administer Confluence](https://developer.atlassian.com/cloud/confluence/rest/v1/intro/#auth) is required to get access to the Confluence Audit logs API. See [Confluence API documentation](https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-audit/#api-wiki-rest-api-audit-get) to learn more about the audit API." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect to Atlassian Confluence API to start collecting audit logs in Microsoft Sentinel", + "description": "To enable the Atlassian Confluence connector for Microsoft Sentinel, click to add an organization, fill the form with the Confluence environment credentials and click to Connect. \n Follow [these steps](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) to create an API token.\n ", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Atlassian Confluence organization URL", + "columnValue": "properties.request.apiEndpoint" + } ], - "customs": [ - { - "name": "Atlassian Confluence API access", - "description": "Permission of [Administer Confluence](https://developer.atlassian.com/cloud/confluence/rest/v1/intro/#auth) is required to get access to the Confluence Audit logs API. See [Confluence API documentation](https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-audit/#api-wiki-rest-api-audit-get) to learn more about the audit API." - } + "menuItems": [ + "DeleteConnector" ] + } }, - "instructionSteps": [ - { - "description": "To enable the Atlassian Confluence connector for Microsoft Sentinel, click to add an organization, fill the form with the Confluence environment credentials and click to Connect. \n Follow [these steps](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) to create an API token.\n ", + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add organization", + "title": "Add organization", + "subtitle": "Add Atlassian Confluence organization", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { "instructions": [ - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Atlassian Confluence organization URL", - "columnValue": "properties.request.apiEndpoint" - } - - ], - "menuItems": [ - "DeleteConnector" - ] - } - }, - { - "type": "ContextPane", - "parameters": { - "isPrimary": true, - "label": "Add organization", - "title": "Add organization", - "subtitle": "Add Atlassian Confluence organization", - "contextPaneType": "DataConnectorsContextPane", - "instructionSteps": [ - { - "instructions": [ - { - "type": "Textbox", - "parameters": { - "label": "Atlassian Confluence organization URL", - "placeholder": ".atlassian.net", - "type": "string", - "name": "confluenceorganizationurl" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "User Name", - "placeholder": "User Name (e.g., user@example.com)", - "type": "securestring", - "name": "userid" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "API Token", - "placeholder": "API Token", - "type": "password", - "name": "apikey" - } - } - ] - } - ] - } + { + "type": "Textbox", + "parameters": { + "label": "Atlassian Confluence organization URL", + "placeholder": ".atlassian.net", + "type": "text", + "name": "confluenceorganizationurl", + "validations": { + "required": true + } + } + }, + { + "type": "Textbox", + "parameters": { + "label": "User Name", + "placeholder": "User Name (e.g., user@example.com)", + "type": "text", + "name": "userid", + "validations": { + "required": true + } } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Token", + "placeholder": "API Token", + "type": "password", + "name": "apikey", + "validations": { + "required": true + } + } + } ] - } - ] + } + ] + } + } + ] } + ] } -} + } +} \ No newline at end of file diff --git a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_PollingConfig.json b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_PollingConfig.json index 0ed582bcd5c..62324e4e79e 100644 --- a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_PollingConfig.json +++ b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_PollingConfig.json @@ -1,46 +1,48 @@ { - "name": "ConfluenceAuditCCPPolling", - "apiVersion": "2025-03-01", - "type": "Microsoft.SecurityInsights/dataConnectors", - "location": "{{location}}", - "kind": "RestApiPoller", - "properties": { - "connectorDefinitionName": "ConfluenceAuditCCPDefinition", - "dataType": "ConfluenceAuditLogs_CL", - "dcrConfig": { - "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", - "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", - "streamName": "Custom-ConfluenceAuditLogs" - }, - "auth": { - "type": "Basic", - "UserName": "{{userid}}", - "Password": "{{apikey}}" - }, - "request": { - "apiEndpoint": "[[concat('https://',parameters('confluenceorganizationurl'),'/wiki/rest/api/audit')]", - "httpMethod": "GET", - "retryCount": 3, - "timeoutInSeconds": 60, - "queryTimeFormat": "UnixTimestampInMills", - "startTimeAttributeName": "startDate", - "endTimeAttributeName": "endDate", - "headers": { - "Accept": "application/json", - "User-Agent": "Scuba" - } - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "start", - "pageSizeParaName": "limit", - "pageSize": 1000 - }, - "response": { - "eventsJsonPaths": [ - "$.results" - ], - "format": "json" - } + "type": "Microsoft.SecurityInsights/dataConnectors", + "apiVersion": "2025-03-01", + "name": "ConfluenceAuditLogsPoller", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('userid')]", + "Password": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://',parameters('confluenceorganizationurl'),'/wiki/rest/api/audit')]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestampInMills", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "startTimeAttributeName": "startDate", + "endTimeAttributeName": "endDate" + }, + "response": { + "eventsJsonPaths": [ + "$.results" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "start", + "pageSize": 1000, + "pageSizeParameterName": "limit" + }, + "connectorDefinitionName": "AtlassianConfluenceConnector", + "dataType": "ConfluenceAuditLogs", + "dcrConfig": { + "streamName": "Custom-ConfluenceAuditLogs_CL", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" } + } } \ No newline at end of file diff --git a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_table.json b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_table.json index 2cb69fd7bf4..6eb0dfca393 100644 --- a/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_table.json +++ b/Solutions/AtlassianConfluenceAudit/Data Connectors/AtlassianConfluenceAuditLogs_CCP/AtlassianConfluenceAudit_table.json @@ -1,197 +1,169 @@ { - "name": "ConfluenceAuditLogs_CL", - "apiVersion": "2023-09-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "{{location}}", - "kind": null, - "properties": { - "schema": { - "tableSubType": "DataCollectionRuleBased", - "name": "ConfluenceAuditLogs_CL", - "tableType": "CustomLog", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "EventVendor", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "EventProduct", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorUsername", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorAccountId", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorType", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorDisplayName", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorIsExternalCollaborator", - "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorUserKey", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorAccountType", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorPublicName", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AuthorExternalCollaborator", - "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "RemoteAddress", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "CreationDate", - "type": "long", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "Summary", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "Description", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "Category", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "SysAdmin", - "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "SuperAdmin", - "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AffectedObjectName", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AffectedObjectObjectType", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "ChangedValues", - "type": "dynamic", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "AssociatedObjects", - "type": "dynamic", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "UserIdentity", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "SrcUserName", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "DstUserSid", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "SrcIpAddr", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "EventCreationTime", - "type": "long", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "EventMessage", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - }, - { - "name": "EventCategoryType", - "type": "string", - "isDefaultDisplay": false, - "isHidden": false - } - ], - "isTroubleshootingAllowed": true + "name": "ConfluenceAuditLogs_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2025-02-01", + "tags": { + "StreamName": "Custom-ConfluenceAuditLogs_CL", + "Category": "Security", + "DataSource": "Atlassian Confluence" + }, + "properties": { + "schema": { + "name": "ConfluenceAuditLogs_CL", + "description": "The Atlassian Confluence Audit Logs table contains audit logs from Atlassian Confluence that have been ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "description": "The timestamp (in UTC) when the log entry was generated.", + "isDefaultDisplay": true + }, + { + "name": "EventVendor", + "type": "string", + "description": "The vendor of the event." + }, + { + "name": "EventProduct", + "type": "string", + "description": "The product of the event." + }, + { + "name": "AuthorUsername", + "type": "string", + "description": "The username of the author." + }, + { + "name": "AuthorAccountId", + "type": "string", + "description": "The account ID of the author." + }, + { + "name": "AuthorType", + "type": "string", + "description": "The type of the author." + }, + { + "name": "AuthorDisplayName", + "type": "string", + "description": "The display name of the author." + }, + { + "name": "AuthorIsExternalCollaborator", + "type": "boolean", + "description": "Indicates whether the author is an external collaborator." + }, + { + "name": "AuthorUserKey", + "type": "string", + "description": "The user key of the author." + }, + { + "name": "AuthorAccountType", + "type": "string", + "description": "The account type of the author." + }, + { + "name": "AuthorPublicName", + "type": "string", + "description": "The public name of the author." + }, + { + "name": "AuthorExternalCollaborator", + "type": "boolean", + "description": "Indicates whether the author is an external collaborator." + }, + { + "name": "RemoteAddress", + "type": "string", + "description": "The remote address of the author." + }, + { + "name": "CreationDate", + "type": "long", + "description": "The creation date of the audit log entry." + }, + { + "name": "Summary", + "type": "string", + "description": "The summary of the audit log entry." + }, + { + "name": "Description", + "type": "string", + "description": "The description of the audit log entry." + }, + { + "name": "Category", + "type": "string", + "description": "The category of the audit log entry." + }, + { + "name": "SysAdmin", + "type": "boolean", + "description": "Indicates whether the author is a system administrator." + }, + { + "name": "SuperAdmin", + "type": "boolean", + "description": "Indicates whether the author is a super administrator." + }, + { + "name": "AffectedObjectName", + "type": "string", + "description": "The name of the affected object." + }, + { + "name": "AffectedObjectObjectType", + "type": "string", + "description": "The type of the affected object." + }, + { + "name": "ChangedValues", + "type": "dynamic", + "description": "The changed values of the audit log entry." + }, + { + "name": "AssociatedObjects", + "type": "dynamic", + "description": "The associated objects of the audit log entry." + }, + { + "name": "UserIdentity", + "type": "string", + "description": "The identity of the user." + }, + { + "name": "SrcUserName", + "type": "string", + "description": "The source username." + }, + { + "name": "DstUserSid", + "type": "string", + "description": "The destination user SID." + }, + { + "name": "SrcIpAddr", + "type": "string", + "description": "The source IP address." + }, + { + "name": "EventCreationTime", + "type": "long", + "description": "The creation time of the event." + }, + { + "name": "EventMessage", + "type": "string", + "description": "The message of the event." + }, + { + "name": "EventCategoryType", + "type": "string", + "description": "The category type of the event." } + ] } + } } \ No newline at end of file diff --git a/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json b/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json index a160598d18f..80cbb140156 100644 --- a/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json +++ b/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json @@ -11,7 +11,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\AtlassianConfluenceAudit", - "Version": "3.0.3", + "Version": "3.0.7", "TemplateSpec": true, "Is1PConnector": false -} \ No newline at end of file +} diff --git a/Solutions/AtlassianConfluenceAudit/Package/3.0.7.zip b/Solutions/AtlassianConfluenceAudit/Package/3.0.7.zip new file mode 100644 index 0000000000000000000000000000000000000000..962d4b66aab28613b39e2ab33f58d7eb3aad85df GIT binary patch literal 9177 zcmZ{KRZtvIlq{}+-~@sU4ncxLnBWdUG6Z*bcY-r`a0YjGm!Jb-aCZyt8gzoQ+5Opl z`)bcURku#pz5Uy#s#{eN8HES|0RaPn$T?h3m5}~>A{qih5&;4N=|9xe#oXA%d$%CcgYLuZgJP6+_la^;W`W@wXHO4_7qwzi8}Y1 zhEaNJfiy+-Y?qo(<(m<_v*(XZ>g(Gy9NS}$?*fYQ0Fl=9X1xiX zTfi*71OH(!&)CsLI(hgj`iiHuSFk6_PB3XTikx(Ppa|r9-8#oBQoP&PK38nNt=Y}coZ-*m}wz0y$qPO(7AddoS&<^IXmCZLI^mR)E@ZLCpR#d&=^uM zx9kwF?;)HdtBxsp`URZi3Np=0s%No84?T60#)~>MPgvnP4=?^N&Ks#@#m15w?5it2 zJSD66_{b<|?DLHMl_jE|r)viYIH~A1+!^ZrJhVY>QU*10eVFHT?b|l_w-lBXimZ}a zfH6v7iJcnT&`ImevJ3F*j|&E3?%Tw+f^3|D;MTsuK0)&+kTb77gHQq{6P4k`Z-{o7 ze~uq3&v~ozFp>ubs!%+xi)68*qBJT7``r5QoJ4L^q^D`Bmxdy%09FUtBltvL9Ln`g z6a597F{D;h;iPCE|NM)v#@zGr%QOpBiPzhhOTongv)W*!wY~drk>q+!2Se|Kd^X{# z9aps+&8y%ho}!Z4h`E?uW+WBQwr`!$Jr<&7Kgje2#bP6uLz2F)?IZXS^c4J>Gv=Sp zPIRyeYp%tDlBK6h=>I&kON42^a|Lg0^LA#Jao)McEKnj3r+ATKb>BZ&M2+PUIGnJT z6sc`l?CfWS){l`e6*}DgMtg`ZGn+eisWr^*7K%}RrO3|72DkRsA9LhXZlCjDdx@LN z3;COt`A7nV6EsXhqWa?s^Fg%z?B!M3Y8#Iaf$y4oU73g8sFOK<0G1Om*8r{gf?*i= za3~n;E+cn#dO6U0ik@$?yK1B!WwU_bvd}bmYPN#FWb8Y+jcv6j;q^>>!NFS8!Xum7 zBssg@&y7twl}*`i_>RMfkut?VrGLkAq2O?Lwte_sNUJ6!3AHXQpgAzfy-o{#J!z-) zEt9dJv`4hPH79U4!g&BqfgHP8tmAB{PpHa2>2sR;tp5m=>}=uJ&-g3M30pC4>zS4e z_1e<7jBBP6qUX!nyBCGPGyxU(AdbIVfO_&ek?*veUv?ocU)@x2k}{*zUzlC6M~{Th zQBnwb&ZO`sG##zv(h**$-dbkPxMW(Mzx*vsJzZeNi`!Cm?(W@IZgiBKyq_ohRR;C_ zCl9XkgplWY_r%$4wFS=6-htibIhokkxZr@H&pH>+6U(pfzUb`X+r|ow#}SKuPCeb) zfwR2it*GB7Cxx>R$9OawK@?5bPCY@5Q)Gn4e~J%KU-YoeJ4ka3f!AFfW6gwAfAxO% zb8c;2l8{%m$1O{lrKPdC!gN{@?y^KWeJ?Mr`U4PD{~s9x`J}JPQy?IyY#|`v|C2F$ zV{3moKC1KE5+ksd~~QTSK`)2pFjh;t!Df zfJ)27qm_Un8JIX2S$VE~K7B4jP*_FU1H=XEWuE^`=uoc)n(8wBnw;Vbs}#MKM65Y zJ(@+%iaimcmsfcv;7!cH=r-utV*WB-pR#IN=r(sx+dF^EuP?E_p(JG9gXI=ve#?u% z%e|B1Br=`ASN@fb*D8m{F{R>oD{EnCn}YUo3S_hhU}_B5g#ArZdCJ|#c$UM9`3YDG z*GSMJyqOhNbnyNm%so2vgt=B*-YSz!mrH*WduNqir%Dp=J>m+h!E@_R$V2$C6`~D0eg#2f98e7!rJhJ{Xc<1HKfSup_7NoI$syO5i@UaCrqwBHC zv=>c((Z^H^#fS%8C#$qhV3w*cA>QnE0^Y2cU-|I9!NDHKl?Hs^YU`(wty}gHgd{Fu zmSEB5UE@IR!Q=JEYXa>cQ|k5M`$*fGc{{#Q|A~eIo-DtGQPJqLT=nXVFT{>tCR~I? z=3PozElj*l|HMSsJc=+zHsJ^g#tQ0JqZ;mJ3=gWAtt50>t4YWJ-pjH@MKEc(xVdeg z=AO97^Py8e-X|@Z$ z{g!HgurW1*6-08WQ4-UTeLwl0D%tTK!VRtP%{wTpr4_XxvPq60`}n1?mvqm1)EAwI zLjnF%r`_Vl93p7!Imd))xLabCgWaAzVAJPO4#jkGV-@a*2E!2HL+f`IpQVojN+bpZ zx9IO*_6=c#=nP4I)dq<5YXeqXIkBwp;XBZ@$-;QaM8Im<^}Xd?@D6Z07eCAEgb|xl zdc25Pfji-IbmU^lWbhKtb}=S#X4cGQlX~J#(T8DmkR?-Md*aYOuPw4id@Z&OgUfxY z`Kf)}2SQJWq1){pdSm}%O#5s;6{L;C#Fcb@|A&4NCxM(;Z_bogv8Z95{vwAyZGDaL z1)7SWfrcTth9~Y#mIvc)R`z3Q;lZKArJkp<5VmoCYkLQ`_=pm9)v$@p7ye0j?z1-g ztA(?~IdhvpRPbUm@-$CJ(c&EP!*+%4SUU0Ks22DKM-|b*Npi#aJw0Q>Bs4CnK7R7! z5Kx@<4zxvaYHvzUP7%UFF5qU&__Wl~&$=9|h!Rsg0?7}+jFzV@J0c$;ZQp87owFU_ z7s78(xDxEi%!rP_ijf8FO|Mh-A4c5M1F{M`?Qi&Q@NXuH=IR*XI5G5XwMtlusFGg_ zzch`!5tT?QQmDzdCDk`;n@evN8wkG|O&m4!w&Y@8HY}I*C_mDD^d+u23p-x6dv(;1 zglKvP_Om7E;tjGJE-(Dr#rbW6FQU+9MC12X--2Zyq^kxa>Jn8|}7U$+Xj-7a@g1YYxrlk#uZz`38hq0rm|MVaDxJC<{2 ziJpezZNl+4Lx>|l5^KaQZi@Y_cN4T(zWuAIQo_}i+s$Fv$zy%%us}xYnF*615sw$;sgRKyQ<;sCuQ!2U&8XCF-r zMig1vnmaXWxkaHD}3D&n)64{7I{c&W-@Jqeeh z|5k%i1mg)pW+=tH#E`N(+km(uH_)!EeA~NWU4F)KcjROegQHcvUPU+ai1-c($6n>e zszP3|N{eo2V*3OEZx8bo^v*ajR6}~PmMS98a&@)4fA~vhF(9qkO?|={7N8Hd4!gs^ zaCRTM3DPUS40fb47S~`~{v3~a!@6z#ZX4W{FJU0 zKj$Ldq|LD*wocsvIrfwlq%y<);H|LYT<&r|sP|j5#J#io5*fqBwJh#wohkpPY>9&5 zTReE%-iN~#{1W6ntg;Wx!{0C_w^BTJ5$xI9WLi=A9-AV#3FFeBVYH5vkJ(tk zf0yf(*yvKzwc4X~AO%~Y`i5ea#krHMknXWJE0#@3reNW?3yYx2FAV)gL9=eohvB>h zdhxJhvB%w5lsb~~_Q)9lwk+ugzUcn7-e4J8<7m+y_$vy$hMR1dLR6ab2`P16NR*Wt z{v*C2E(Lqa6!Mum!u`D-FJ zK1tFCr)zrTLn2IW5mAfx%8nra$lZqH-9Gh}+6YP=usrWXBE|O;C>?(z4TzZiW)R#&U?=>hJ z3fNHxwFP0$Z-5suU=M(%z(G9#=VWzm{~~ic*k91SYOU&QUmH;xY=O%d>%=w4H4cYm zq2;>=Tj!{_*hml*4+is2vUwjZx`eSIiLg^U`mBllw1v#-PnlI+WDEANSkvsNmNeTgNyW)DP9S0)er0!+ z!!8{$V^a#IvR~T@d}uJJjpZky(#h>uu;Xg)isB>d*oZBA>5&iK)oW`O+*isI<~AHJ z#fw#XL8fhU1_;bB#xX%Ij`$CXzFo?rh;}!B{v>m-Ip^>(c$GJy9vgGvFWY5nJU_*( zZo|D@QFWJU;m%TiOf{v-Vr8WW&E!L$PTNRG1rlycTTbyS$s{poep`Ri>%V5^zAyTqTCS5r<>;@`^id|pQGwCUBSl^v2VuI zNV>wzW;y0i>^OD4J^b3=@r-I)yPl4`)JZa@iYDmZaw%;lWDxj)iXtnSkT^hp|1IKj zK~M+Z(4o>z%{qW^E8YirI^>fjRj3)YJHk;?p1gNTE&|Oc!{t@YGLE<({}8YvKyRwd z`~&vV2T`G}80vp% z^|6@vCNup!zrXI%G6}*j-Tu;`ZnoPI;n_?}K;b;Z<8|Gr^S-?B1WHSme8I|6@DX31 z<1cgE3}A_8Eqs_r`qbZ%J9O88)=CbJ`vTwV#)5vCg64y)ZjQkgey~Xan^s)So4r%P0Z!MKAeK$UWVI>$1u{ypH!^&ZquH14((v zpG{cfwH8Oa?ZYUxII?VsZb2GXF7rr5O)#6LE5J-UzRon=f}Y?0gKLVHYG)=@=ROiv z?pLU`&m_SgK{PVXXb3%BD`UFb;b*H}qh(NwhW4~0=7E z@ribe2l0spkEy$wdV>sq<*bQD#r`h~LNW75vs`-9$?4|)vlr=npqrUGj z&+KwnN(@^Zljd9tmgUB}u%sgyqZcKh7Rw>#9 zyD8y)E6DVWQ;Ct(y=`bjk&^iimD_8Qvi8QimM+Q3Z(lRpZ$`5-1eZW?@aLezk>CD+ z_dX!=r&jxxFlgRZt&r`4c2z`{k-2;k84K0MY?6j#(GgCdN$>{0Mb8agCw zOS)qWOaA<;R|7Dfa%nWUI{O|N>x*^5hWX00;B*W;z>VG5l#`(iB-#nQamupY@Dg(k zav0wKI^G|slS1}maJI!npL=eXUi2cO9e!`EW8E(}#aS_hkX4&FIuj&2qj&9LBzIm2 zH(`o47`m|OjWPJl9Ow1d?x^`uOtOfMJ#HWdKj58B0Y5E8T)#T{=g{!FI`nQPe8Z|2{z!c}erg{k5!?7joMi?k2*u2HZv5Km3hnykCmsE1k8-@qkD>yzm}p`te5*3!Y~l_u?p$q0`$^R^N|kJa*)i zD#)x#Y8Fy-to&^msNvXqTtuvTq#&z6)a$@cXM#_hxF#~4{N!mn(rN?r29jvc_J#s@ihW zE=aWlhx^PUqRIRa@k>;nz14f+~rTjbw+akZBqmLSZZTLCtTkY=GM~ ztTQ&~;CT(R`4))5ZI%q7ONA0SRbcW1IQ{`24^-K=VI;Crf56sqd5N!*8?Q`_bJT=v zm$ya&m*zbKJItf@HXV8G#o{Y^g1@bh9<>wFTFcVUgj2lQQQc{bjXKb+<9}@uO|%L? znO>s_KS$weA_Z9`Y21jT*&_#@McOYC&N>_n4!ux;=AIhSMjL7(+Q{iw3hI&6LYH?4EG4!{P}%%z&|2pbrLam=WM%uG1r0k zmB^8}wH#Ks#(1vUGP$dB*`P#L4XPkmvUj)}(iB7Rwz}M=rTx26G`G>1(fIiQZ#Pcs zlDLw!8b5|MktowJyUdBXw?^*jxF&{V#AC(7*Rv)2#iu@A#!qRRIlhHqM>{({L(!A_8b?)L@6|s zPe;3GzUc$I4vXiee0MBS&KkyxqAesb9m=N3X-aCwcj~{-xNcGn9IMb(hT))?=P1Qr6@;MfGo7mRD_|^2_ z?ZB$e!4$o1LZ`6AD6U~rA`kOc8Jrv(3!hOm+oA8&%9y0#TWJD|lr<6LdpsYzdOdtqfIQs5w-1-95#aTr4-HKAyq(T{ z13%<;bx#t8Qk#XMx#F~8YmGmJaISK*q?xp;-VkzOxuO=#oW?0%`74xrac z^@>AlMPi*H*9ZnLM)nZLV%u%|PC|+(O5**VqeJNshkAP*%a@e1f|AW$$ahKTM;djr&=i$i$imU~8ZyU_f`4le` zp7dG>d~L_g$%j8}bLORaKI{3H@B;8c%kM=ox}=Nz)l9oFmMEwt#I%0ZuZ?Hf!l62JSO`u=6~3NHISW~-q@6nHTMAood|U^SveN!Z?ZA9tjNr+ zn?s8}(C3Aw*d+L{G9Iq;dyMq7uTD%6$+=d0EWn*n|19Ws*_7G%xsRc6o#b1k0Mm7d zN_nGCywx@)lUsFuNu}u=s6DFV$$-QEtL9F_y`{WN`j*^nq=p@5B#+p9k}9XMBVAUOi38f; zb8kvM?TPmbiffIhT4Qpz7`*2xlCdL_?tAxFk;k5mX^-3HX5>1s!fjlaza@9s0K4

zF?XvePNCep6WARlzqmx}Xf}w+WdlJo7V7!AyyGmUh%Yfn{;(vP7E5~jQ{R=1 zIbg#W;(tm#R|wU7JMOj2c>c|xqoYvuR_V-nB zU$*if>F3~!Agrf&GB=e6b!KegedyRYc0qvxQGQbsEN=L-j<#)?#^nD6LAtrF4eGB- z-`%VIcw&)xA)*V2N)YWI$~DhKKZkw7!1K2M_8{ecXthz&3x$lw)ox4kx@GLa$uwoomwQ zyLt1QfB&Gb&!UIlVhzg?e1fKhXhu_0+q7!Rv`PiIGj+n+=Uy$z0~cCH=$gWTI7MdQxY>eD>w7_WHu^qBlpYtoml+tqX=b;Jx;4~$SemqJ^X zkL?KjG@Dn46u%roHm&6m!P6gp6YbGWT%B-!($mrD*`Sfw+ndvAFH?G&*A7lpnrL^& zk0-_@S;3vyvo4lnJX?Bn>lGG9log6Xo8EfA zNBhc(oQz|GDW_1cZL+n*&Br$GLp-|~oHqLo{*yo(r@ke2LyGWCO1AX|;+={M_nO-$ z2lr3yrQKT4P71$!>8Ep-CPu*F{iNnv=V6%s_6%*FE`&++?lqJ8H`(~Nbd}}C!oEKS znkrtmJwo=OYm{#$-5y;tZr5%0$05MxS-tA;^P#^(aoRIrY%;DrTg-1pFsq#BVmpln zcU5%~tY-n{pAB}FtFXz`Rwb<&G1.atlassian.net", - "type": "string", - "name": "confluenceorganizationurl" + "type": "text", + "name": "confluenceorganizationurl", + "validations": { + "required": true + } } }, { @@ -194,8 +200,11 @@ "parameters": { "label": "User Name", "placeholder": "User Name (e.g., user@example.com)", - "type": "securestring", - "name": "userid" + "type": "text", + "name": "userid", + "validations": { + "required": true + } } }, { @@ -204,7 +213,10 @@ "label": "API Token", "placeholder": "API Token", "type": "password", - "name": "apikey" + "name": "apikey", + "validations": { + "required": true + } } } ] @@ -260,13 +272,10 @@ "location": "[parameters('workspace-location')]", "kind": "[variables('blanks')]", "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", "streamDeclarations": { - "Custom-ConfluenceAuditLogs": { + "Custom-ConfluenceAuditLogs_CL": { "columns": [ - { - "name": "author", - "type": "dynamic" - }, { "name": "remoteAddress", "type": "string" @@ -296,21 +305,24 @@ "type": "boolean" }, { - "name": "affectedObject", + "name": "changedValues", "type": "dynamic" }, { - "name": "changedValues", + "name": "associatedObjects", "type": "dynamic" }, { - "name": "associatedObjects", + "name": "author", + "type": "dynamic" + }, + { + "name": "affectedObject", "type": "dynamic" } ] } }, - "dataSources": "[variables('TemplateEmptyObject')]", "destinations": { "logAnalytics": [ { @@ -322,16 +334,15 @@ "dataFlows": [ { "streams": [ - "Custom-ConfluenceAuditLogs" + "Custom-ConfluenceAuditLogs_CL" ], "destinations": [ "clv2ws1" ], - "transformKql": "source\r| extend\r TimeGenerated = now(),\r EventVendor=\"Atlassian\",\r EventProduct=\"Confluence Audit\",\r AuthorUsername=tostring(author.username), \r AuthorDisplayName=tostring(author.displayName),\r AuthorType=tostring(author.type),\r AuthorAccountId=tostring(author.accountId),\r AuthorUserKey=tostring(author.userKey),\r AuthorPublicName=tostring(author.publicName),\r AuthorAccountType=tostring(author.accountType),\r AuthorIsExternalCollaborator=tobool(author.isExternalCollaborator),\r AuthorExternalCollaborator=tobool(author.externalCollaborator),\r AffectedObjectName=tostring(affectedObject.name),\r AffectedObjectObjectType=tostring(affectedObject.type),\r UserIdentity=tostring(author.accountId),\r SrcUserName=tostring(author.displayName),\r DstUserSid=tostring(author.userKey)\r| project\r TimeGenerated,\r EventVendor,\r EventProduct,\r AuthorUsername,\r AuthorAccountId,\r AuthorType,\r AuthorDisplayName,\r AuthorIsExternalCollaborator,\r AuthorUserKey,\r AuthorAccountType,\r AuthorPublicName,\r AuthorExternalCollaborator,\r RemoteAddress=remoteAddress,\r CreationDate=creationDate,\r Summary=summary,\r Description=description,\r Category=category,\r SysAdmin=sysAdmin,\r SuperAdmin=superAdmin,\r AffectedObjectName,\r AffectedObjectObjectType,\r ChangedValues=changedValues,\r AssociatedObjects=associatedObjects,\r UserIdentity,\r SrcUserName,\r DstUserSid,\r SrcIpAddr=remoteAddress,\r EventCreationTime=creationDate,\r EventMessage=summary,\r EventCategoryType=category", - "outputStream": "Custom-ConfluenceAuditLogs_CL" + "outputStream": "Custom-ConfluenceAuditLogs_CL", + "transformKql": "source | extend TimeGenerated = iff(isnull(creationDate), now(), datetime(1970-01-01) + (creationDate * 1ms)) , EventVendor = \"Atlassian\" , EventProduct = \"Confluence Audit\" , AuthorUsername = tostring(author.username) , AuthorAccountId = tostring(author.accountId) , AuthorType = tostring(author.type) , AuthorDisplayName = tostring(author.displayName) , AuthorIsExternalCollaborator = tobool(author.isExternalCollaborator) , AuthorUserKey = tostring(author.userKey) , AuthorAccountType = tostring(author.accountType) , AuthorPublicName = tostring(author.publicName) , AuthorExternalCollaborator = tobool(author.externalCollaborator) , RemoteAddress = ['remoteAddress'] , CreationDate = ['creationDate'] , Summary = ['summary'] , Description = ['description'] , Category = ['category'] , SysAdmin = ['sysAdmin'] , SuperAdmin = ['superAdmin'] , AffectedObjectName = tostring(affectedObject.name) , AffectedObjectObjectType = tostring(affectedObject.objectType) , ChangedValues = ['changedValues'] , AssociatedObjects = ['associatedObjects'] , UserIdentity = tostring(author.accountId) , SrcUserName = tostring(author.displayName) , DstUserSid = tostring(author.userKey) , SrcIpAddr = tostring(remoteAddress) , EventCreationTime = tolong(creationDate) , EventMessage = tostring(summary) , EventCategoryType = tostring(affectedObject.objectType) | project TimeGenerated , EventVendor , EventProduct , AuthorUsername , AuthorAccountId , AuthorType , AuthorDisplayName , AuthorIsExternalCollaborator , AuthorUserKey , AuthorAccountType , AuthorPublicName , AuthorExternalCollaborator , RemoteAddress , CreationDate , Summary , Description , Category , SysAdmin , SuperAdmin , AffectedObjectName , AffectedObjectObjectType , ChangedValues , AssociatedObjects , UserIdentity , SrcUserName , DstUserSid , SrcIpAddr , EventCreationTime , EventMessage , EventCategoryType" } - ], - "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + ] } }, { @@ -342,192 +353,161 @@ "kind": null, "properties": { "schema": { - "tableSubType": "DataCollectionRuleBased", "name": "ConfluenceAuditLogs_CL", - "tableType": "CustomLog", + "description": "The Atlassian Confluence Audit Logs table contains audit logs from Atlassian Confluence that have been ingested into Microsoft Sentinel.", "columns": [ { "name": "TimeGenerated", "type": "datetime", - "isDefaultDisplay": false, - "isHidden": false + "description": "The timestamp (in UTC) when the log entry was generated.", + "isDefaultDisplay": true }, { "name": "EventVendor", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The vendor of the event." }, { "name": "EventProduct", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The product of the event." }, { "name": "AuthorUsername", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The username of the author." }, { "name": "AuthorAccountId", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The account ID of the author." }, { "name": "AuthorType", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The type of the author." }, { "name": "AuthorDisplayName", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The display name of the author." }, { "name": "AuthorIsExternalCollaborator", "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false + "description": "Indicates whether the author is an external collaborator." }, { "name": "AuthorUserKey", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The user key of the author." }, { "name": "AuthorAccountType", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The account type of the author." }, { "name": "AuthorPublicName", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The public name of the author." }, { "name": "AuthorExternalCollaborator", "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false + "description": "Indicates whether the author is an external collaborator." }, { "name": "RemoteAddress", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The remote address of the author." }, { "name": "CreationDate", "type": "long", - "isDefaultDisplay": false, - "isHidden": false + "description": "The creation date of the audit log entry." }, { "name": "Summary", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The summary of the audit log entry." }, { "name": "Description", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The description of the audit log entry." }, { "name": "Category", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The category of the audit log entry." }, { "name": "SysAdmin", "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false + "description": "Indicates whether the author is a system administrator." }, { "name": "SuperAdmin", "type": "boolean", - "isDefaultDisplay": false, - "isHidden": false + "description": "Indicates whether the author is a super administrator." }, { "name": "AffectedObjectName", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The name of the affected object." }, { "name": "AffectedObjectObjectType", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The type of the affected object." }, { "name": "ChangedValues", "type": "dynamic", - "isDefaultDisplay": false, - "isHidden": false + "description": "The changed values of the audit log entry." }, { "name": "AssociatedObjects", "type": "dynamic", - "isDefaultDisplay": false, - "isHidden": false + "description": "The associated objects of the audit log entry." }, { "name": "UserIdentity", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The identity of the user." }, { "name": "SrcUserName", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The source username." }, { "name": "DstUserSid", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The destination user SID." }, { "name": "SrcIpAddr", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The source IP address." }, { "name": "EventCreationTime", "type": "long", - "isDefaultDisplay": false, - "isHidden": false + "description": "The creation time of the event." }, { "name": "EventMessage", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The message of the event." }, { "name": "EventCategoryType", "type": "string", - "isDefaultDisplay": false, - "isHidden": false + "description": "The category type of the event." } - ], - "isTroubleshootingAllowed": true + ] } } } @@ -550,8 +530,8 @@ "kind": "Customizable", "properties": { "connectorUiConfig": { - "id": "ConfluenceAuditCCPDefinition", - "title": " Atlassian Confluence Audit (via Codeless Connector Framework)", + "id": "AtlassianConfluenceConnector", + "title": "Atlassian Confluence Audit (via Codeless Connector Framework)", "publisher": "Microsoft", "descriptionMarkdown": "The [Atlassian Confluence](https://www.atlassian.com/software/confluence) Audit data connector provides the capability to ingest [Confluence Audit Records](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", "graphQueriesTableName": "ConfluenceAuditLogs_CL", @@ -568,14 +548,14 @@ "query": "{{graphQueriesTableName}}\n| sort by TimeGenerated desc" }, { - "description": "Total Events", - "query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid" + "description": "Events by Category", + "query": "{{graphQueriesTableName}}\n | summarize count() by Category" } ], "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}} | summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" } ], "connectivityCriteria": [ @@ -584,7 +564,8 @@ } ], "availability": { - "isPreview": false + "isPreview": false, + "status": 1 }, "permissions": { "resourceProvider": [ @@ -596,7 +577,8 @@ "requiredPermissions": { "write": true, "read": true, - "delete": true + "delete": true, + "action": false } } ], @@ -609,6 +591,7 @@ }, "instructionSteps": [ { + "title": "Connect to Atlassian Confluence API to start collecting audit logs in Microsoft Sentinel", "description": "To enable the Atlassian Confluence connector for Microsoft Sentinel, click to add an organization, fill the form with the Confluence environment credentials and click to Connect. \n Follow [these steps](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) to create an API token.\n ", "instructions": [ { @@ -641,8 +624,11 @@ "parameters": { "label": "Atlassian Confluence organization URL", "placeholder": ".atlassian.net", - "type": "string", - "name": "confluenceorganizationurl" + "type": "text", + "name": "confluenceorganizationurl", + "validations": { + "required": true + } } }, { @@ -650,8 +636,11 @@ "parameters": { "label": "User Name", "placeholder": "User Name (e.g., user@example.com)", - "type": "securestring", - "name": "userid" + "type": "text", + "name": "userid", + "validations": { + "required": true + } } }, { @@ -660,7 +649,10 @@ "label": "API Token", "placeholder": "API Token", "type": "password", - "name": "apikey" + "name": "apikey", + "validations": { + "required": true + } } } ] @@ -719,7 +711,7 @@ ], "properties": { "contentId": "[variables('_dataConnectorContentIdConnections1')]", - "displayName": " Atlassian Confluence Audit (via Codeless Connector Framework)", + "displayName": "Atlassian Confluence Audit (via Codeless Connector Framework)", "contentKind": "ResourcesDataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -734,7 +726,7 @@ "type": "securestring" }, "connectorDefinitionName": { - "defaultValue": " Atlassian Confluence Audit (via Codeless Connector Framework)", + "defaultValue": "Atlassian Confluence Audit (via Codeless Connector Framework)", "type": "securestring", "minLength": 1 }, @@ -796,19 +788,12 @@ } }, { - "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'ConfluenceAuditCCPPolling', parameters('guidValue'))]", + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'ConfluenceAuditLogsPoller', parameters('guidValue'))]", "apiVersion": "2023-02-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "RestApiPoller", "properties": { - "connectorDefinitionName": "ConfluenceAuditCCPDefinition", - "dataType": "ConfluenceAuditLogs_CL", - "dcrConfig": { - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", - "streamName": "Custom-ConfluenceAuditLogs" - }, "auth": { "type": "Basic", "UserName": "[[parameters('userid')]", @@ -817,27 +802,36 @@ "request": { "apiEndpoint": "[[concat('https://',parameters('confluenceorganizationurl'),'/wiki/rest/api/audit')]", "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestampInMills", "retryCount": 3, "timeoutInSeconds": 60, - "queryTimeFormat": "UnixTimestampInMills", - "startTimeAttributeName": "startDate", - "endTimeAttributeName": "endDate", "headers": { + "Content-Type": "application/json", "Accept": "application/json", "User-Agent": "Scuba" - } - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "start", - "pageSizeParaName": "limit", - "pageSize": 1000 + }, + "startTimeAttributeName": "startDate", + "endTimeAttributeName": "endDate" }, "response": { "eventsJsonPaths": [ "$.results" ], "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "start", + "pageSize": 1000, + "pageSizeParameterName": "limit" + }, + "connectorDefinitionName": "AtlassianConfluenceConnector", + "dataType": "ConfluenceAuditLogs", + "dcrConfig": { + "streamName": "Custom-ConfluenceAuditLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" } } } @@ -861,7 +855,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ConfluenceAudit Data Parser with template version 3.0.6", + "description": "ConfluenceAudit Data Parser with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -870,7 +864,7 @@ "resources": [ { "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -935,7 +929,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { @@ -989,7 +983,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "AtlassianConfluenceAudit", diff --git a/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md b/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md index c902a132d63..b35a8b174b7 100644 --- a/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md +++ b/Solutions/AtlassianConfluenceAudit/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------| +| 3.0.7 | 07-04-2026 | Updated **Data Connector** - *Atlassian Confluence Audit* to change DCR data flows. | | 3.0.6 | 28-07-2025 | Removed Deprecated **Data Connector**. | | 3.0.5 | 06-05-2025 | Launching CCP **Data Connector** - *Atlassian Confluence Audit* from Public Preview to Global Availability. | | 3.0.4 | 16-04-2025 | Updated **Parser** to support new and old table.
Updated table name in **CCP Connector**. | From 8f7552d0ff64b81b89679a13d4acbca4cd929b4f Mon Sep 17 00:00:00 2001 From: Srikar Shastry Date: Wed, 8 Apr 2026 08:36:04 -0500 Subject: [PATCH 2/2] Update Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Data/Solution_AtlassianConfluenceAudit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json b/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json index 80cbb140156..c6fb313aa76 100644 --- a/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json +++ b/Solutions/AtlassianConfluenceAudit/Data/Solution_AtlassianConfluenceAudit.json @@ -12,6 +12,6 @@ "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\AtlassianConfluenceAudit", "Version": "3.0.7", - "TemplateSpec": true, + "TemplateSpec": false, "Is1PConnector": false }