Adding Cribl to Microsoft Azure Solutions Repo

[amiracle]

Change(s):

Cribl Steam Solution added
Added a new folder named "Cribl" in the "Solutions" directory
Created a new Cribl sample files in the Samples Folder
Added Cribl-Logo.svg to "Logos" directory
Reasons for Change(s):
Cribl Stream Solution being added into the Microsoft Azure Sentinel repository.
Version 1.0.0 Added.
Tested and validated Solution file with preview function in Sentinel.

@microsoft-github-policy-service agree [company=“Cribl"]
@microsoft-github-policy-service agree

[amiracle]

Updated Files to pass the validation.

[amiracle]

Changes Made:
Corrected Sample files added them into a JSON array
Repaired the mainTemplate.json and createUiDefinition.json to work with validation
Updated Solution_Cribl.json
Added files to 1.0.0.zip file
Updated Parsers and updated their names.
Updated SolutionMetadata.json

[amiracle]

updated the parser file with the fix to the query field. updated image svg file.

[amiracle]

Updated Solutions under Data Connectors and SolutionMetadta.

[v-prasadboke]

Hello @amiracle,

• Please add graph queries to the Data connector.

• Add id property to the parsers

• Also check on Solution metadata's Domain.

Refer this Solution for more clarification.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events

[amiracle]

Updates

[amiracle]

Validated updates to the solution and made changes to be compliant with solution validations.

[v-prasadboke]

Hello @amiracle, Please create custom table schema named as CriblInternal_CL and CriblInternal at location
https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

[v-prasadboke]

Is this Data connector needed. We already have 1 data connector in solution folder.

[amiracle]

This data connector was going to be used to connect third party data into Microsoft Sentinel similar to what the syslog connector is doing. The Connector in the Cribl Solution folder is specifically for the data generated by the Cribl Stream solution.

[v-prasadboke]

Hello @amiracle, we are waiting for your reply

[v-prasadboke]

Hello @amiracle, Can you please work on the above requested changes.

[amiracle]

Hello @amiracle,

• Please add graph queries to the Data connector.
• Add id property to the parsers
• Also check on Solution metadata's Domain.

Refer this Solution for more clarification. https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events

This has been completed.

• The graph queries have been added to the Data connector.
• Id's have been added to the parsers.
• The Solution domain of Security - Other has been added.

[amiracle]

Hello @amiracle, Please create custom table schema named as CriblInternal_CL and CriblInternal at location https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

All of the custom tables have been added to the repo:

• CriblAccess_CL
• CriblAudit_CL
• CriblInternal_CL
• CriblUIAccess_CL

[amiracle]

@v-prasadboke - I'm trying to decipher the error messages as to why my code is not passing validation. Can you please explain the error codes so that I can properly address them and get this solution added to the repo?

[v-prasadboke]

Hello @amiracle, Can we get on a call for this.
Please share your time zone and availability so that we can plan for the same.

You can ping me on teams too if needed - [email protected]

[v-prasadboke]

reference for parser : https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Parsers/Snowflake.yaml

V3 tool : C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3