Skip to content

Commit c475979

Browse files
authored
Merge pull request #14290 from Azure/v-shukore/cisco-etd
Added Cisco ETD CCP data connector to use the new Message Event Logs
2 parents d7957ce + f2000b6 commit c475979

11 files changed

Lines changed: 1859 additions & 143 deletions

File tree

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
[
2+
{
3+
"name": "CiscoETDDCR",
4+
"apiVersion": "2021-09-01-preview",
5+
"type": "Microsoft.Insights/dataCollectionRules",
6+
"location": "{{location}}",
7+
"properties": {
8+
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
9+
"streamDeclarations": {
10+
"Custom-CiscoETDv2_CL": {
11+
"columns": [
12+
{
13+
"name": "downloadLink",
14+
"type": "string"
15+
},
16+
{
17+
"name": "expand",
18+
"type": "dynamic"
19+
}
20+
]
21+
}
22+
},
23+
"destinations": {
24+
"logAnalytics": [
25+
{
26+
"workspaceResourceId": "{{workspaceResourceId}}",
27+
"name": "clv2ws1"
28+
}
29+
]
30+
},
31+
"dataFlows": [
32+
{
33+
"streams": [
34+
"Custom-CiscoETDv2_CL"
35+
],
36+
"destinations": [
37+
"clv2ws1"
38+
],
39+
"transformKql": "source | project TimeGenerated=now(), EventTime=todatetime(expand.message.timestamp), EventType=tostring(expand.message.eventType), MessageId=tostring(expand.message.id), Verdict=tostring(iff(isnotnull(expand.message.verdict.verdict), expand.message.verdict.verdict, expand.message.verdict.category)), Sender=tostring(iff(isnotempty(tostring(expand.message.fromAddresses)), expand.message.fromAddresses, expand.message.returnPath)), Recipient=tostring(iff(isnotempty(tostring(expand.message.toAddresses[0])), expand.message.toAddresses[0], expand.message.envelopeTo[0])), Subject=tostring(expand.message.subject), message=todynamic(expand.message)",
40+
"outputStream": "Custom-CiscoETDv2_CL"
41+
}
42+
]
43+
}
44+
}
45+
]
Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
[
2+
{
3+
"name": "CiscoETDMessages",
4+
"apiVersion": "2025-09-01",
5+
"type": "Microsoft.SecurityInsights/dataConnectors",
6+
"location": "{{location}}",
7+
"kind": "RestApiPoller",
8+
"properties": {
9+
"connectorDefinitionName": "CiscoETDConnectorDefinition",
10+
"dcrConfig": {
11+
"dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
12+
"dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}",
13+
"streamName": "Custom-CiscoETDv2_CL"
14+
},
15+
"dataType": "CiscoETDv2_CL",
16+
"auth": {
17+
"type": "JwtToken",
18+
"userName": {
19+
"key": "clientId",
20+
"value": "{{clientId}}"
21+
},
22+
"password": {
23+
"key": "clientSecret",
24+
"value": "{{clientSecret}}"
25+
},
26+
"TokenEndpoint": "{{baseEndpoint}}/v1/oauth/token",
27+
"TokenEndpointHttpMethod": "POST",
28+
"Headers": {
29+
"Accept": "application/json",
30+
"Content-Type": "application/json",
31+
"x-api-key": "[[parameters('apiKey')]"
32+
},
33+
"IsCredentialsInHeaders": true,
34+
"JwtTokenJsonPath": "$.accessToken"
35+
},
36+
"request": {
37+
"apiEndpoint": "{{baseEndpoint}}/v1/logs/downloadLinks",
38+
"rateLimitQPS": 10,
39+
"queryWindowInMin": 60,
40+
"queryTimeFormat": "yyyy-MM-ddTHH",
41+
"httpMethod": "POST",
42+
"retryCount": 3,
43+
"timeoutInSeconds": 30,
44+
"isPostPayloadJson": true,
45+
"queryParametersTemplate": "{\"timeRange\": [\"{_QueryWindowStartTime}\", \"{_QueryWindowEndTime}\"], \"logTypes\": [\"message\"]}",
46+
"headers": {
47+
"Accept": "application/json",
48+
"Content-Type": "application/json",
49+
"User-Agent": "Scuba",
50+
"x-api-key": "{{apiKey}}"
51+
}
52+
},
53+
"response": {
54+
"eventsJsonPaths": [
55+
"$.data.message"
56+
],
57+
"format": "json"
58+
},
59+
"shouldJoinNestedData": true,
60+
"joinedDataStepName": "downloadLink",
61+
"stepInfo": {
62+
"stepType": "Nested",
63+
"nextSteps": [
64+
{
65+
"stepId": "fetchMessageData",
66+
"stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project downloadUrl = res.value"
67+
}
68+
]
69+
},
70+
"stepCollectorConfigs": {
71+
"fetchMessageData": {
72+
"shouldJoinNestedData": true,
73+
"joinedDataStepName": "expand",
74+
"auth": {
75+
"AuthType": "None"
76+
},
77+
"request": {
78+
"httpMethod": "GET",
79+
"apiEndpoint": "$downloadUrl$",
80+
"headers": {
81+
"Accept": "application/x-ndjson"
82+
}
83+
},
84+
"response": {
85+
"eventsJsonPaths": [
86+
"$"
87+
],
88+
"format": "json"
89+
}
90+
}
91+
},
92+
"extra": {
93+
"nestedTransformName": "/ASI/Microsoft/MvExpandTransformer"
94+
}
95+
}
96+
}
97+
]
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
[
2+
{
3+
"name": "CiscoETDv2_CL",
4+
"type": "Microsoft.OperationalInsights/workspaces/tables",
5+
"apiVersion": "2021-03-01-privatepreview",
6+
"properties": {
7+
"schema": {
8+
"name": "CiscoETDv2_CL",
9+
"columns": [
10+
{
11+
"name": "TimeGenerated",
12+
"type": "Datetime",
13+
"isDefaultDisplay": true,
14+
"description": "The timestamp (UTC) reflecting the time in which the event was generated."
15+
},
16+
{
17+
"name": "EventTime",
18+
"type": "Datetime",
19+
"description": "Timestamp of the email event from Cisco ETD."
20+
},
21+
{
22+
"name": "EventType",
23+
"type": "String",
24+
"description": "Event type: create or update."
25+
},
26+
{
27+
"name": "MessageId",
28+
"type": "String",
29+
"description": "Unique identifier of the email message."
30+
},
31+
{
32+
"name": "Verdict",
33+
"type": "String",
34+
"description": "Threat verdict: phishing, malicious, bec, spam, scam, graymail."
35+
},
36+
{
37+
"name": "Sender",
38+
"type": "String",
39+
"description": "Sender email address."
40+
},
41+
{
42+
"name": "Recipient",
43+
"type": "String",
44+
"description": "Primary recipient email address."
45+
},
46+
{
47+
"name": "Subject",
48+
"type": "String",
49+
"description": "Email subject line."
50+
},
51+
{
52+
"name": "message",
53+
"type": "Dynamic",
54+
"description": "Full Cisco ETD message event object."
55+
}
56+
]
57+
}
58+
}
59+
}
60+
]
Lines changed: 142 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,142 @@
1+
{
2+
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
3+
"apiVersion": "2022-09-01-preview",
4+
"name": "CiscoETDConnectorDefinition",
5+
"location": "{{location}}",
6+
"kind": "Customizable",
7+
"properties": {
8+
"connectorUiConfig": {
9+
"id": "CiscoETDConnectorDefinition",
10+
"title": "Cisco Email Threat Defense (ETD)",
11+
"publisher": "Cisco",
12+
"descriptionMarkdown": "The [Cisco Email Threat Defense (ETD)](https://docs.cmd.cisco.com/en/Content/secure-email-threat-defense-user-guide/homeUG.htm) data connector provides the capability to ingest [message events](https://docs.cmd.cisco.com/en/Content/secure-email-threat-defense-user-guide/Messages/messages.htm) from Cisco ETD into Microsoft Sentinel using the [Log Export API](https://developer.cisco.com/docs/message-search-api/log-export-api/).",
13+
"graphQueriesTableName": "CiscoETDv2_CL",
14+
"graphQueries": [
15+
{
16+
"metricName": "Total messages received",
17+
"legend": "Cisco ETD Messages",
18+
"baseQuery": "CiscoETDv2_CL"
19+
},
20+
{
21+
"metricName": "Malicious messages",
22+
"legend": "Malicious Threats",
23+
"baseQuery": "CiscoETDv2_CL | where message_verdict_verdict == 'malicious'"
24+
},
25+
{
26+
"metricName": "Phishing messages",
27+
"legend": "Phishing Threats",
28+
"baseQuery": "CiscoETDv2_CL | where message_verdict_verdict == 'phishing'"
29+
}
30+
],
31+
"sampleQueries": [
32+
{
33+
"description": "Get all Cisco ETD threat messages",
34+
"query": "CiscoETDv2_CL\n| sort by TimeGenerated desc"
35+
},
36+
{
37+
"description": "Get recent malicious messages",
38+
"query": "CiscoETDv2_CL\n| where message_verdict_verdict == 'malicious'\n| take 10"
39+
}
40+
],
41+
"dataTypes": [
42+
{
43+
"name": "CiscoETDv2_CL",
44+
"lastDataReceivedQuery": "CiscoETDv2_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
45+
}
46+
],
47+
"connectivityCriteria": [
48+
{
49+
"type": "HasDataConnectors",
50+
"value": []
51+
}
52+
],
53+
"availability": {
54+
"isPreview": false
55+
},
56+
"permissions": {
57+
"resourceProvider": [
58+
{
59+
"provider": "Microsoft.OperationalInsights/workspaces",
60+
"permissionsDisplayText": "Read and Write permissions are required.",
61+
"providerDisplayName": "Workspace",
62+
"scope": "Workspace",
63+
"requiredPermissions": {
64+
"write": true,
65+
"read": true,
66+
"delete": true
67+
}
68+
}
69+
],
70+
"customs": [
71+
{
72+
"name": "Cisco ETD API Credentials",
73+
"description": "Cisco ETD API credentials are required. Refer to the [Cisco ETD API Authentication documentation](https://developer.cisco.com/docs/message-search-api/authentication/) for more information."
74+
}
75+
]
76+
},
77+
"instructionSteps": [
78+
{
79+
"title": "Connect to Cisco ETD API",
80+
"description": "Provide your Cisco ETD API endpoint, Client ID, Client Secret, and API Key. These credentials can be obtained from your Cisco ETD administrator or through the Cisco ETD management console.",
81+
"instructions": [
82+
{
83+
"type": "Textbox",
84+
"parameters": {
85+
"label": "Base Endpoint URL",
86+
"placeholder": "https://api.us.etd.cisco.com",
87+
"type": "text",
88+
"name": "baseEndpoint",
89+
"validations": {
90+
"required": true
91+
}
92+
}
93+
},
94+
{
95+
"type": "Textbox",
96+
"parameters": {
97+
"label": "Client ID",
98+
"placeholder": "Enter OAuth2 Client ID",
99+
"type": "text",
100+
"name": "clientId",
101+
"validations": {
102+
"required": true
103+
}
104+
}
105+
},
106+
{
107+
"type": "Textbox",
108+
"parameters": {
109+
"label": "Client Secret",
110+
"placeholder": "Enter OAuth2 Client Secret",
111+
"type": "password",
112+
"name": "clientSecret",
113+
"validations": {
114+
"required": true
115+
}
116+
}
117+
},
118+
{
119+
"type": "Textbox",
120+
"parameters": {
121+
"label": "API Key",
122+
"placeholder": "Enter Cisco ETD API Key",
123+
"type": "password",
124+
"name": "apiKey",
125+
"validations": {
126+
"required": true
127+
}
128+
}
129+
},
130+
{
131+
"parameters": {
132+
"label": "Connect",
133+
"name": "toggle"
134+
},
135+
"type": "ConnectionToggleButton"
136+
}
137+
]
138+
}
139+
]
140+
}
141+
}
142+
}

Solutions/Cisco ETD/Data/Solution_CiscoETD.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,14 @@
44
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
55
"Description": "Cisco ETD Solution for Microsoft Microsoft Sentinel makes it easy to connect cisco email threat data to the Microsoft Sentinel, improving visibility into email threats.",
66
"Data Connectors": [
7-
"Data Connectors/CiscoETD_API_FunctionApp.json"
7+
"Data Connectors/CiscoETD_API_FunctionApp.json",
8+
"Data Connectors/CiscoETD_ccp/CiscoETD_connectorDefinition.json"
89
],
910
"Workbooks": [
1011
"Workbooks/CiscoETD.json"
1112
],
1213
"BasePath": "c:\\GitHub\\Azure-Sentinel\\Solutions\\Cisco ETD",
13-
"Version": "3.0.0",
14+
"Version": "3.0.1",
1415
"Metadata": "SolutionMetadata.json",
1516
"TemplateSpec": true,
1617
"Is1Pconnector": false
12.5 KB
Binary file not shown.

Solutions/Cisco ETD/Package/createUiDefinition.json

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"config": {
77
"isWizard": false,
88
"basics": {
9-
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20ETD/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nCisco ETD Solution for Microsoft Microsoft Sentinel makes it easy to connect cisco email threat data to the Microsoft Sentinel, improving visibility into email threats.\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
9+
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20ETD/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nCisco ETD Solution for Microsoft Microsoft Sentinel makes it easy to connect cisco email threat data to the Microsoft Sentinel, improving visibility into email threats.\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
1010
"subscription": {
1111
"resourceProviders": [
1212
"Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,13 @@
6363
"text": "This Solution installs the data connector for Cisco ETD. You can get Cisco ETD custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
6464
}
6565
},
66+
{
67+
"name": "dataconnectors2-text",
68+
"type": "Microsoft.Common.TextBlock",
69+
"options": {
70+
"text": "This Solution installs the data connector for Cisco Email Threat Defense (ETD). You can get Cisco Email Threat Defense (ETD) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
71+
}
72+
},
6673
{
6774
"name": "dataconnectors-link2",
6875
"type": "Microsoft.Common.TextBlock",

0 commit comments

Comments
 (0)