Merge pull request Azure#10040 from SmitR01/MimecastSEG

MimecastSEG : Fixed workspace default log retention bug

Solutions/MimecastSEG/Data Connectors/MimecastSEG_API_AzureFunctionApp.json

@@ -129,7 +129,7 @@
     },
     {
       "title": "Deploy the Mimecast Secure Email Gateway Data Connector:",
-      "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastSEG-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] --->  [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> SIEM checkpoints ---> Upload*** and create empty file on your machine named checkpoint.txt, dlp-checkpoint.txt and select it for upload (this is done so that date_range for SIEM logs is stored in consistent state)\n"
+      "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastSEG-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n - workspaceId: Azure portal ---> Log Analytics Workspaces ---> [Your workspace] ---> Agents ---> Workspace ID (or you can copy workspaceId from above) \n - workspaceKey:  Azure portal ---> Log Analytics Workspaces ---> [Your workspace] ---> Agents ---> Primary Key (or you can copy workspaceKey from above) \n - AppInsightsWorkspaceResourceID : Azure portal ---> Log Analytics Workspaces ---> [Your workspace] ---> Properties ---> Resource ID \n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] --->  [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> SIEM checkpoints ---> Upload*** and create empty file on your machine named checkpoint.txt, dlp-checkpoint.txt and select it for upload (this is done so that date_range for SIEM logs is stored in consistent state)\n"
     }
   ],
   "metadata": {

Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json

@@ -93,10 +93,16 @@
         "description": "Application secret of the registered application."
       }
     },
-    "workspaceName": {
+    "workspaceId": {
       "type": "string",
       "metadata": {
-        "description": "Enter existing log analytics workspace name."
+        "description": "Enter existing log analytics workspace ID."
+      }
+    },
+    "workspaceKey": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Enter existing log analytics workspace key."
       }
     },
     "AppInsightsWorkspaceResourceID": {
@@ -110,8 +116,7 @@
     "functionAppName": "[parameters('appName')]",
     "hostingPlanName": "[parameters('appName')]",
     "applicationInsightsName": "[parameters('appName')]",
-    "storageAccountName": "[parameters('appName')]",
-    "workspaceName": "[parameters('workspaceName')]"
+    "storageAccountName": "[parameters('appName')]"
   },
   "resources": [
     {
@@ -224,43 +229,6 @@
         }
       ]
     },
-    {
-      "apiVersion": "2015-03-20",
-      "name": "[variables('workspaceName')]",
-      "location": "[parameters('location')]",
-      "type": "Microsoft.OperationalInsights/workspaces",
-      "properties": {
-        "sku": {
-          "name": "pergb2018"
-        },
-        "retentionInDays": 30,
-        "features": {
-          "legacy": 0,
-          "searchVersion": 1,
-          "enableLogAccessUsingOnlyResourcePermissions": true
-        },
-        "publicNetworkAccessForIngestion": "Enabled",
-        "publicNetworkAccessForQuery": "Enabled"
-      }
-    },
-    {
-      "type": "Microsoft.OperationsManagement/solutions",
-      "apiVersion": "2015-11-01-preview",
-      "name": "[concat('SecurityInsights','(', variables('workspaceName'),')')]",
-      "location": "[parameters('location')]",
-      "plan": {
-        "name": "[concat('SecurityInsights','(', variables('workspaceName'),')')]",
-        "promotionCode": "",
-        "product": "OMSGallery/SecurityInsights",
-        "publisher": "Microsoft"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
-      ],
-      "properties": {
-        "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
-      }
-    },
     {
       "type": "microsoft.insights/components",
       "apiVersion": "2020-02-02",
@@ -456,11 +424,10 @@
       "name": "[concat(variables('functionAppName'), '/', 'log-analytics-workspace-id')]",
       "location": "[parameters('location')]",
       "dependsOn": [
-        "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]",
-        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
+        "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]"
       ],
       "properties": {
-        "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-03-20').customerId]"
+        "value": "[parameters('workspaceId')]"
       }
     },
     {
@@ -469,11 +436,10 @@
       "name": "[concat(variables('functionAppName'), '/', 'log-analytics-workspace-key')]",
       "location": "[parameters('location')]",
       "dependsOn": [
-        "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]",
-        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
+        "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]"
       ],
       "properties": {
-        "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-03-20').primarySharedKey]"
+        "value": "[parameters('workspaceKey')]"
       }
     }
   ]

Solutions/MimecastSEG/Data/Solution_MimecastSEG.json

@@ -21,7 +21,7 @@
         "Data Connectors/MimecastSEG_API_AzureFunctionApp.json"
     ],
     "BasePath": "C:\\Azure-Sentinel\\Solutions\\MimecastSEG",
-    "Version": "3.0.0",
+    "Version": "3.0.2",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true,
     "Is1PConnector": false

Solutions/MimecastSEG/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Mimecast.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Secure Email Gateway \n- Mimecast Data Leak Prevention\n \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Mimecast.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Secure Email Gateway \n- Mimecast Data Leak Prevention\n \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",