Contrast-Security-OSS
diff --git a/‎Logos/SOCPrime_Logo.svg‎
Lines changed: 21 additions & 0 deletions b/‎Logos/SOCPrime_Logo.svg‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/SOCPrime_DCR.json‎
Lines changed: 64 additions & 0 deletions b/‎Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/SOCPrime_DCR.json‎
Lines changed: 64 additions & 0 deletions
@@ -0,0 +1,64 @@
+{
+    "name": "SOCPrimeLogsDCR",
+    "apiVersion": "2021-09-01-preview",
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "location": "{{location}}",
+    "kind": null,
+    "properties": {
+        "streamDeclarations": {
+            "Custom-SOCPrimeAuditLogsStreamAgent": {
+                "columns": [
+                    {
+                        "name": "timestamp",
+                        "type": "datetime"
+                    },
+                    {
+                        "name": "event_name",
+                        "type": "string"
+                    },
+                    {
+                        "name": "user_email",
+                        "type": "string"
+                    },
+                    {
+                        "name": "user_name",
+                        "type": "string"
+                    },
+                    {
+                        "name": "event_page",
+                        "type": "string"
+                    },
+                    {
+                        "name": "source_ip",
+                        "type": "string"
+                    },
+                    {
+                        "name": "user_agent",
+                        "type": "string"
+                    }
+                ]
+            }
+        },
+        "destinations": {
+            "logAnalytics": [
+                {
+                    "workspaceResourceId": "[variables('workspaceResourceId')]",
+                    "name": "clv2ws1"
+                }
+            ]
+        },
+        "dataFlows": [
+            {
+                "streams": [
+                    "Custom-SOCPrimeAuditLogsStreamAgent"
+                ],
+                "destinations": [
+                    "clv2ws1"
+                ],
+                "transformKql": "source | extend EventType = 'event'| extend EventVendor = 'SOC Prime' | extend EventProduct = 'TDM Audit Logs'| project TimeGenerated = timestamp, EventName = event_name, UserName=user_name, HttpUserAgent = user_agent, Uri=event_page, UserEmail=user_email, SourceIp=source_ip",
+                "outputStream": "Custom-SOCPrimeAuditLogs_CL"
+            }
+        ],
+        "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+    }
+}