BlueVoyant Anthropic ClaudeCompliance v3.0.0

Author: TSwaimBV

Logos/BlueVoyant.svg

@@ -0,0 +1,87 @@
+{
+  "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+  "apiVersion": "2022-09-01-preview",
+  "name": "BV-ClaudeCompliance",
+  "location": "{{location}}",
+  "kind": "Customizable",
+  "properties": {
+    "connectorUiConfig": {
+      "id": "BV-ClaudeCompliance",
+      "title": "BV-ClaudeCompliance (via Codeless Connector Framework)",
+      "publisher": "BlueVoyant",
+      "descriptionMarkdown": "## BV-ClaudeCompliance (via Codeless Connector Framework)\r\n\r\nThis connector ingests **ClaudeCompliance** API data into Microsoft Sentinel using RestApiPoller.\r\n\r\n### Data Collection\r\n- Base API URL: `https://api.anthropic.com/`\r\n- Authentication: `APIKey`\r\n- Endpoint count: `1`\r\n\r\n### Tables\r\n- `ComplianceActivities` -> `BV_ClaudeCompliance_ComplianceActivities_CL`\r\n\r\n### Sample Query\r\n```kusto\r\nBV_ClaudeCompliance_ComplianceActivities_CL\r\n| take 10\r\n```",
+      "graphQueriesTableName": "BV_ClaudeCompliance_ComplianceActivities_CL",
+      "graphQueries": [
+        {
+          "metricName": "Total data received",
+          "legend": "BV_ClaudeCompliance_ComplianceActivities_CL",
+          "baseQuery": "{{graphQueriesTableName}}"
+        }
+      ],
+      "sampleQueries": [
+        {
+          "description": "All BV_ClaudeCompliance_ComplianceActivities_CL events",
+          "query": "{{graphQueriesTableName}}\n| sort by TimeGenerated\n| take 10"
+        }
+      ],
+      "dataTypes": [
+        {
+          "name": "{{graphQueriesTableName}}",
+          "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+        }
+      ],
+      "connectivityCriteria": [
+        {
+          "type": "HasDataConnectors"
+        }
+      ],
+      "availability": {
+        "isPreview": false
+      },
+      "permissions": {
+        "resourceProvider": [
+          {
+            "provider": "Microsoft.OperationalInsights/workspaces",
+            "permissionsDisplayText": "Read and Write permissions are required.",
+            "providerDisplayName": "Workspace",
+            "scope": "Workspace",
+            "requiredPermissions": {
+              "write": true,
+              "read": true,
+              "delete": false
+            }
+          }
+        ]
+      },
+      "instructionSteps": [
+        {
+          "title": "Connect BV-ClaudeCompliance (via Codeless Connector Framework) to Microsoft Sentinel",
+          "description": "To obtain a Claude Compliance API key, follow the instructions found here:\r\n[Access the Compliance API](https://support.claude.com/en/articles/13015708-access-the-compliance-api).\r\n\r\nThe API key must include the **`read:compliance_activities`** scope.\r\n\r\nPaste the key below and select **Connect**.",
+          "instructions": [
+            {
+              "type": "Textbox",
+              "parameters": {
+                "label": "API Key",
+                "placeholder": "Enter API key",
+                "type": "password",
+                "name": "apiKey",
+                "validations": {
+                  "required": true
+                }
+              }
+            },
+            {
+              "type": "ConnectionToggleButton",
+              "parameters": {
+                "connectLabel": "Connect",
+                "disconnectLabel": "Disconnect",
+                "name": "toggle"
+              }
+            }
+          ]
+        }
+      ],
+      "isConnectivityCriteriasMatchSome": false
+    }
+  }
+}

Solutions/BlueVoyant-Anthropic-ClaudeCompliance/Data Connectors/BV-ClaudeCompliance_ccf/dataConnectorDefinition.json

@@ -0,0 +1,52 @@
+[
+  {
+    "type": "Microsoft.SecurityInsights/dataConnectors",
+    "apiVersion": "2022-10-01-preview",
+    "name": "ComplianceActivities",
+    "kind": "RestApiPoller",
+    "properties": {
+      "connectorDefinitionName": "BV-ClaudeCompliance",
+      "dataType": "BV_ClaudeCompliance_ComplianceActivities_CL",
+      "dcrConfig": {
+        "streamName": "Custom-BV_ClaudeCompliance_ComplianceActivities_CL",
+        "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+        "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
+      },
+      "auth": {
+        "type": "APIKey",
+        "ApiKey": "{{apiKey}}",
+        "ApiKeyName": "x-api-key",
+        "IsApiKeyInPostPayload": false
+      },
+      "request": {
+        "apiEndpoint": "https://api.anthropic.com/v1/compliance/activities",
+        "httpMethod": "GET",
+        "queryWindowInMin": 10,
+        "rateLimitQPS": 10,
+        "timeoutInSeconds": 60,
+        "retryCount": 3,
+        "headers": {
+          "User-Agent": "BV-ClaudeCompliance"
+        },
+        "startTimeAttributeName": "created_at.gte",
+        "endTimeAttributeName": "created_at.lt",
+        "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ"
+      },
+      "response": {
+        "eventsJsonPaths": [
+          "$.data"
+        ],
+        "format": "json"
+      },
+      "paging": {
+        "pagingType": "NextPageToken",
+        "pageSize": 5000,
+        "pageSizeParameterName": "limit",
+        "hasNextFlagJsonPath": "$.has_more",
+        "pagingQueryParamOnly": false,
+        "nextPageTokenJsonPath": "$.last_id",
+        "nextPageParaName": "after_id"
+      }
+    }
+  }
+]

Solutions/BlueVoyant-Anthropic-ClaudeCompliance/Data Connectors/BV-ClaudeCompliance_ccf/dataConnectorPoller.json

@@ -0,0 +1,105 @@
+[
+  {
+    "name": "DCR-BV-ClaudeCompliance",
+    "apiVersion": "2021-09-01-preview",
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "location": "{{location}}",
+    "properties": {
+      "dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
+      "streamDeclarations": {
+        "Custom-BV_ClaudeCompliance_ComplianceActivities_CL": {
+          "columns": [
+            {
+              "name": "TimeGenerated",
+              "type": "datetime"
+            },
+            {
+              "name": "actor",
+              "type": "dynamic"
+            },
+            {
+              "name": "claude_artifact_id",
+              "type": "string"
+            },
+            {
+              "name": "claude_chat_id",
+              "type": "string"
+            },
+            {
+              "name": "claude_file_id",
+              "type": "string"
+            },
+            {
+              "name": "claude_project_id",
+              "type": "string"
+            },
+            {
+              "name": "created_at",
+              "type": "datetime"
+            },
+            {
+              "name": "filename",
+              "type": "string"
+            },
+            {
+              "name": "id",
+              "type": "string"
+            },
+            {
+              "name": "organization_id",
+              "type": "string"
+            },
+            {
+              "name": "organization_uuid",
+              "type": "string"
+            },
+            {
+              "name": "request_body",
+              "type": "string"
+            },
+            {
+              "name": "request_id",
+              "type": "string"
+            },
+            {
+              "name": "request_method",
+              "type": "string"
+            },
+            {
+              "name": "status_code",
+              "type": "int"
+            },
+            {
+              "name": "type",
+              "type": "string"
+            },
+            {
+              "name": "url",
+              "type": "string"
+            }
+          ]
+        }
+      },
+      "destinations": {
+        "logAnalytics": [
+          {
+            "workspaceResourceId": "{{workspaceResourceId}}",
+            "name": "clv2ws1"
+          }
+        ]
+      },
+      "dataFlows": [
+        {
+          "streams": [
+            "Custom-BV_ClaudeCompliance_ComplianceActivities_CL"
+          ],
+          "destinations": [
+            "clv2ws1"
+          ],
+          "transformKql": "source | project-rename id_CF = ['id'], type_CF = ['type']",
+          "outputStream": "Custom-BV_ClaudeCompliance_ComplianceActivities_CL"
+        }
+      ]
+    }
+  }
+]

Solutions/BlueVoyant-Anthropic-ClaudeCompliance/Data Connectors/BV-ClaudeCompliance_ccf/dcr.json

@@ -0,0 +1,83 @@
+[
+  {
+    "name": "BV_ClaudeCompliance_ComplianceActivities_CL",
+    "type": "Microsoft.OperationalInsights/workspaces/tables",
+    "apiVersion": "2021-03-01-privatepreview",
+    "properties": {
+      "schema": {
+        "name": "BV_ClaudeCompliance_ComplianceActivities_CL",
+        "columns": [
+          {
+            "name": "TimeGenerated",
+            "type": "datetime",
+            "description": "Ingestion time"
+          },
+          {
+            "name": "actor",
+            "type": "dynamic"
+          },
+          {
+            "name": "claude_artifact_id",
+            "type": "string"
+          },
+          {
+            "name": "claude_chat_id",
+            "type": "string"
+          },
+          {
+            "name": "claude_file_id",
+            "type": "string"
+          },
+          {
+            "name": "claude_project_id",
+            "type": "string"
+          },
+          {
+            "name": "created_at",
+            "type": "datetime"
+          },
+          {
+            "name": "filename",
+            "type": "string"
+          },
+          {
+            "name": "id_CF",
+            "type": "string"
+          },
+          {
+            "name": "organization_id",
+            "type": "string"
+          },
+          {
+            "name": "organization_uuid",
+            "type": "string"
+          },
+          {
+            "name": "request_body",
+            "type": "string"
+          },
+          {
+            "name": "request_id",
+            "type": "string"
+          },
+          {
+            "name": "request_method",
+            "type": "string"
+          },
+          {
+            "name": "status_code",
+            "type": "int"
+          },
+          {
+            "name": "type_CF",
+            "type": "string"
+          },
+          {
+            "name": "url",
+            "type": "string"
+          }
+        ]
+      }
+    }
+  }
+]

Solutions/BlueVoyant-Anthropic-ClaudeCompliance/Data Connectors/BV-ClaudeCompliance_ccf/table.json

@@ -0,0 +1,17 @@
+{
+  "Name": "BlueVoyant-Anthropic-ClaudeCompliance",
+  "Author": "BlueVoyant - soc@bluevoyant.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/BlueVoyant.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The BlueVoyant Anthropic Claude Compliance solution for Microsoft Sentinel ingests compliance activity data from the Anthropic Claude Compliance API into your workspace. Using a Codeless Connector Framework (CCF) data connector, it continuously collects compliance events into the BV_ClaudeCompliance_ComplianceActivities_CL table for monitoring, hunting, and detection.",
+  "Workbooks": [],
+  "Analytic Rules": [],
+  "Hunting Queries": [],
+  "Data Connectors": [
+    "Data Connectors/BV-ClaudeCompliance_ccf/dataConnectorDefinition.json"
+  ],
+  "BasePath": "",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "DataConnectorCCFVersion": "1.0.0"
+}