diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight_API_FunctionApp.json b/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight_API_FunctionApp.json index 758b02030db..541e7ca8c14 100644 --- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight_API_FunctionApp.json +++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight_API_FunctionApp.json @@ -2,7 +2,7 @@ "id": "BitSight", "title": "Bitsight data connector", "publisher": "BitSight Technologies, Inc.", - "descriptionMarkdown": "The [BitSight](https://www.BitSight.com/) Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data in Microsoft Sentinel.", + "descriptionMarkdown": "The [BitSight](https://www.BitSight.com/) Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data into Microsoft Sentinel using the [Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview).", "graphQueries": [ { "metricName": "Total Alerts data received", @@ -236,30 +236,27 @@ "read": true, "delete": true } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." }, { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } + "name": "Permission to assign a role to the registered application", + "description": "Permission to assign a role to the registered application in Microsoft Entra ID is required." + }, + { + "name": "REST API Credentials/permissions", + "description": "BitSight API Token is required. See the documentation to [learn more](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) about API Token." } - ], - "customs": [{ - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "BitSight API Token is required. See the documentation to [learn more](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) about API Token." - } ] }, - "instructionSteps": [{ + "instructionSteps": [ + { "title": "", - "description": ">**NOTE:** This connector uses Azure Functions to connect to the BitSight API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + "description": ">**NOTE:** This connector uses Azure Functions to connect to the BitSight API to pull its logs into Microsoft Sentinel using the Logs Ingestion API (DCR). This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, { "title": "", @@ -287,30 +284,11 @@ }, { "title": "", - "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the BitSight data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the BitSight API Token.", - "instructions": [{ - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] + "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the BitSight data connector, have the BitSight API Token and Azure credentials (Client ID, Client Secret, Tenant ID, Object ID) readily available." }, { "title": "Option 1 - Azure Resource Manager (ARM) Template", - "description": "Use this method for automated deployment of the BitSight connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BitSight-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Review + create** to deploy.." + "description": "Use this method for automated deployment of the BitSight connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BitSight-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Review + Create** and then **Create** to deploy." }, { "title": "Option 2 - Manual Deployment of Azure Functions", @@ -325,4 +303,4 @@ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Save**." } ] -} \ No newline at end of file +} diff --git a/Solutions/BitSight/Package/3.2.0.zip b/Solutions/BitSight/Package/3.2.0.zip index 19d3c5cfc6d..b9338a34e32 100644 Binary files a/Solutions/BitSight/Package/3.2.0.zip and b/Solutions/BitSight/Package/3.2.0.zip differ diff --git a/Solutions/BitSight/Package/mainTemplate.json b/Solutions/BitSight/Package/mainTemplate.json index ded00b2cd71..8e1e9f8afc0 100644 --- a/Solutions/BitSight/Package/mainTemplate.json +++ b/Solutions/BitSight/Package/mainTemplate.json @@ -1,8362 +1,8312 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Microsoft - support@microsoft.com", - "comments": "Solution template for BitSight" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "BitSight", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "resource group name where Microsoft Sentinel is setup" - } - }, - "subscription": { - "type": "string", - "defaultValue": "[last(split(subscription().id, '/'))]", - "metadata": { - "description": "subscription id where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "email": "support@microsoft.com", - "_email": "[variables('email')]", - "_solutionName": "BitSight", - "_solutionVersion": "3.2.0", - "solutionId": "bitsight_technologies_inc.bitsight_sentinel", - "_solutionId": "[variables('solutionId')]", - "workbookVersion1": "1.0.0", - "workbookContentId1": "BitSightWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", - "_analyticRulecontentId1": "d8844f11-3a36-4b97-9062-1e6d57c00e37", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd8844f11-3a36-4b97-9062-1e6d57c00e37')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d8844f11-3a36-4b97-9062-1e6d57c00e37')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d8844f11-3a36-4b97-9062-1e6d57c00e37','-', '1.0.2')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.1", - "_analyticRulecontentId2": "a1275c5e-0ff4-4d15-a7b7-96018cd979f5", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1275c5e-0ff4-4d15-a7b7-96018cd979f5')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1275c5e-0ff4-4d15-a7b7-96018cd979f5')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1275c5e-0ff4-4d15-a7b7-96018cd979f5','-', '1.0.1')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", - "_analyticRulecontentId3": "d68b758a-b117-4cb8-8e1d-dcab5a4a2f21", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd68b758a-b117-4cb8-8e1d-dcab5a4a2f21')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d68b758a-b117-4cb8-8e1d-dcab5a4a2f21')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d68b758a-b117-4cb8-8e1d-dcab5a4a2f21','-', '1.0.2')))]" - }, - "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", - "_analyticRulecontentId4": "161ed3ac-b242-4b13-8c6b-58716e5e9972", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '161ed3ac-b242-4b13-8c6b-58716e5e9972')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('161ed3ac-b242-4b13-8c6b-58716e5e9972')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','161ed3ac-b242-4b13-8c6b-58716e5e9972','-', '1.0.2')))]" - }, - "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.2", - "_analyticRulecontentId5": "b11fdc35-6368-4cc0-8128-52cd2e2cdda0", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b11fdc35-6368-4cc0-8128-52cd2e2cdda0')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b11fdc35-6368-4cc0-8128-52cd2e2cdda0','-', '1.0.2')))]" - }, - "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.1", - "_analyticRulecontentId6": "a5526ba9-5997-47c6-bf2e-60a08b681e9b", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a5526ba9-5997-47c6-bf2e-60a08b681e9b')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a5526ba9-5997-47c6-bf2e-60a08b681e9b')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a5526ba9-5997-47c6-bf2e-60a08b681e9b','-', '1.0.1')))]" - }, - "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','BitSightAlerts')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightAlerts')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightAlerts-Parser')))]", - "parserVersion1": "1.1.0", - "parserContentId1": "BitSightAlerts-Parser" - }, - "parserObject2": { - "_parserName2": "[concat(parameters('workspace'),'/','BitSightBreaches')]", - "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightBreaches')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightBreaches-Parser')))]", - "parserVersion2": "1.1.0", - "parserContentId2": "BitSightBreaches-Parser" - }, - "parserObject3": { - "_parserName3": "[concat(parameters('workspace'),'/','BitSightCompanyDetails')]", - "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyDetails')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightCompanyDetails-Parser')))]", - "parserVersion3": "1.1.0", - "parserContentId3": "BitSightCompanyDetails-Parser" - }, - "parserObject4": { - "_parserName4": "[concat(parameters('workspace'),'/','BitSightCompanyRatingDetails')]", - "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatingDetails')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightCompanyRatingDetails-Parser')))]", - "parserVersion4": "1.0.0", - "parserContentId4": "BitSightCompanyRatingDetails-Parser" - }, - "parserObject5": { - "_parserName5": "[concat(parameters('workspace'),'/','BitSightCompanyRatings')]", - "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatings')]", - "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightCompanyRatings-Parser')))]", - "parserVersion5": "1.1.0", - "parserContentId5": "BitSightCompanyRatings-Parser" - }, - "parserObject6": { - "_parserName6": "[concat(parameters('workspace'),'/','BitSightDiligenceHistoricalStatistics')]", - "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceHistoricalStatistics')]", - "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightDiligenceHistoricalStatistics-Parser')))]", - "parserVersion6": "1.1.0", - "parserContentId6": "BitSightDiligenceHistoricalStatistics-Parser" - }, - "parserObject7": { - "_parserName7": "[concat(parameters('workspace'),'/','BitSightDiligenceStatistics')]", - "_parserId7": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceStatistics')]", - "parserTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightDiligenceStatistics-Parser')))]", - "parserVersion7": "1.1.0", - "parserContentId7": "BitSightDiligenceStatistics-Parser" - }, - "parserObject8": { - "_parserName8": "[concat(parameters('workspace'),'/','BitSightFindingsData')]", - "_parserId8": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsData')]", - "parserTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightFindingsData-Parser')))]", - "parserVersion8": "1.1.0", - "parserContentId8": "BitSightFindingsData-Parser" - }, - "parserObject9": { - "_parserName9": "[concat(parameters('workspace'),'/','BitSightFindingsSummary')]", - "_parserId9": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsSummary')]", - "parserTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightFindingsSummary-Parser')))]", - "parserVersion9": "1.1.0", - "parserContentId9": "BitSightFindingsSummary-Parser" - }, - "parserObject10": { - "_parserName10": "[concat(parameters('workspace'),'/','BitSightGraphData')]", - "_parserId10": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightGraphData')]", - "parserTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightGraphData-Parser')))]", - "parserVersion10": "1.1.0", - "parserContentId10": "BitSightGraphData-Parser" - }, - "parserObject11": { - "_parserName11": "[concat(parameters('workspace'),'/','BitSightIndustrialStatistics')]", - "_parserId11": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightIndustrialStatistics')]", - "parserTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightIndustrialStatistics-Parser')))]", - "parserVersion11": "1.1.0", - "parserContentId11": "BitSightIndustrialStatistics-Parser" - }, - "parserObject12": { - "_parserName12": "[concat(parameters('workspace'),'/','BitSightObservationStatistics')]", - "_parserId12": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightObservationStatistics')]", - "parserTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightObservationStatistics-Parser')))]", - "parserVersion12": "1.1.0", - "parserContentId12": "BitSightObservationStatistics-Parser" - }, - "parserObject13": { - "_parserName13": "[concat(parameters('workspace'),'/','BitSightVulnerabilitiesFindingsSummary')]", - "_parserId13": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightVulnerabilitiesFindingsSummary')]", - "parserTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightVulnerabilitiesFindingsSummary-Parser')))]", - "parserVersion13": "1.0.0", - "parserContentId13": "BitSightVulnerabilitiesFindingsSummary-Parser" - }, - "uiConfigId1": "BitSight", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "BitSight", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "dataConnectorCCPVersion": "3.2.0", - "_dataConnectorContentIdConnectorDefinition2": "BitSightEventsConnector", - "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", - "_dataConnectorContentIdConnections2": "BitSightEventsConnectorConnections", - "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", - "dataCollectionEndpointId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", - "blanks": "[replace('b', 'b', '')]", - "_dataConnectorContentIdConnectorDefinition3": "BitSightStatisticsConnector", - "dataConnectorTemplateNameConnectorDefinition3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition3')))]", - "_dataConnectorContentIdConnections3": "BitSightStatisticsConnectorConnections", - "dataConnectorTemplateNameConnections3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections3')))]", - "dataCollectionEndpointId3": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightWorkbook Workbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights into BitSight data." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# My Company\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"df9ebd46-967c-445f-9328-d3538237ba3b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"company\",\"label\":\"Company Name\",\"type\":2,\"isRequired\":true,\"query\":\"BitSightCompanyDetails\\r\\n| distinct Name\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Kati Communications, Inc.\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"parameters - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ae71f2b2-2245-4937-827e-20960f9ae3b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timer\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let latest_Rating = toscalar(BitSightGraphData\\r\\n| where todatetime(RatingDate) {Timer} and CompanyName == '{company}'\\r\\n| distinct CompanyName, RatingDate, Rating\\r\\n| summarize High = max(Rating), Low = min(Rating), any(RatingDate, Rating)\\r\\n| order by any_RatingDate desc\\r\\n| project strcat_delim(\\\"-\\\",any_Rating, High, Low)\\r\\n| limit 1);\\r\\nBitSightCompanyDetails\\r\\n| where Name == '{company}'\\r\\n| sort by TimeGenerated\\r\\n| extend LatestRating = toint(todecimal(split(latest_Rating, \\\"-\\\")[0])), High = toint(todecimal(split(latest_Rating, \\\"-\\\")[1])), Low = toint(todecimal(split(latest_Rating, \\\"-\\\")[2]))\\r\\n| project-rename Name = Name, Subscription = SubscriptionType , Industry = Industry, [\\\"Customer Monitoring Count\\\"] = CustomerMonitoringCount, [\\\"Latest Rating\\\"] = LatestRating\\r\\n| project Name, [\\\"Latest Rating\\\"], High, Low, Industry, [\\\"Customer Monitoring Count\\\"]\\r\\n| limit 1\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightGraphData\\r\\n| where todatetime(RatingDate) {Timer} and CompanyName == '{company}'\\r\\n| distinct CompanyName, RatingDate, Rating\\r\\n| project CompanyName, RatingDate, Rating\\r\\n| order by RatingDate asc\",\"size\":0,\"aggregation\":4,\"title\":\"Security Ratings Over Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"RatingDate\",\"createOtherGroup\":0,\"showDataPoints\":true,\"ySettings\":{\"min\":300,\"max\":850}}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}'\\r\\n| summarize count() by RiskVectorLabel\\r\\n| order by count_ desc\",\"size\":0,\"title\":\"Count of Observations by Risk Vector\",\"exportFieldName\":\"x\",\"exportParameterName\":\"SelectedRiskVectorLabel\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"RiskVectorLabel\",\"createOtherGroup\":0,\"showLegend\":true}},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}'\\r\\n| where RiskVectorLabel == '{SelectedRiskVectorLabel}'\\r\\n| project-away EventVendor, EventProduct\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"RemediationHistoryLastRefreshStatusDate\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"RemediationHistoryLastRefreshStatusDate\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedRiskVectorLabel\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 16\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Compromised Systems\\\"\\r\\n| extend Date = format_datetime(todatetime(LastSeen), 'yyyy-MM')\\r\\n| summarize count() by RiskVectorLabel,Date\\r\\n| project Date, count_, RiskVectorLabel\\r\\n| order by Date asc\\r\\n\",\"size\":0,\"aggregation\":4,\"title\":\"Compromised Systems by Risk Vector Over Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Date\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"Date\",\"yAxis\":[\"count_\"],\"group\":\"RiskVectorLabel\",\"showDataPoints\":true}},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"User Behavior\\\"\\r\\n| extend Date = format_datetime(todatetime(LastSeen), 'yyyy-MM')\\r\\n| summarize count() by RiskVectorLabel,Date\\r\\n| project Date, count_, RiskVectorLabel\\r\\n| order by Date asc\\r\\n\",\"size\":0,\"aggregation\":4,\"title\":\"User Behavior by Risk Vector Over Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"Date\",\"yAxis\":[\"count_\"],\"group\":\"RiskVectorLabel\"}},\"name\":\"query - 15\"},{\"type\":1,\"content\":{\"json\":\"##### Diligence by Risk Vector Over Time\"},\"name\":\"text - 13\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4d26ba1c-db98-437a-9a0c-63126f341afb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Risk_Vector\",\"label\":\"Risk Vector\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Diligence\\\"\\r\\n| distinct RiskVectorLabel\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Diligence\\\" and ('*' in ({Risk_Vector}) or RiskVectorLabel in ({Risk_Vector}))\\r\\n| extend Date = format_datetime(todatetime(LastSeen), 'yyyy-MM')\\r\\n| summarize count() by RiskVectorLabel,Date\\r\\n| project Date, count_, RiskVectorLabel\\r\\n| order by Date asc\\r\\n\",\"size\":0,\"aggregation\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Date\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"Date\",\"yAxis\":[\"count_\"],\"group\":\"RiskVectorLabel\",\"createOtherGroup\":0,\"showDataPoints\":true}},\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightDiligenceHistoricalStatistics\\r\\n| where todatetime(Date) {Timer} and CompanyName == '{company}'\\r\\n| extend yyyy_mm = format_datetime(todatetime(Date), 'yyyy-MM')\\r\\n| summarize round(avg(Count),2) by yyyy_mm, Category\\r\\n| project Category, avg_Count, yyyy_mm = strcat(yyyy_mm,\\\" (Avg)\\\")\\r\\n| order by yyyy_mm asc, Category asc\\r\\n| limit 15\",\"size\":0,\"aggregation\":4,\"title\":\"Diligence Observations by Severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"chartSettings\":{\"xAxis\":\"yyyy_mm\",\"yAxis\":[\"avg_Count\"],\"group\":\"Category\"}},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Compromised Systems\\\" and RiskVectorLabel == \\\"Botnet Infections\\\"\\r\\n| extend d=parse_json(Details) \\r\\n| mv-expand asset = todynamic(Assets)\\r\\n| project Infection = dynamic_to_json(d[0].infection.family), [\\\"Detection Method\\\"] = dynamic_to_json(d[0].detection_method), [\\\"Last Seen\\\"] = column_ifexists(\\\"LastSeen\\\",\\\"\\\"), Asset = dynamic_to_json(asset.asset)\\r\\n| distinct Infection, [\\\"Detection Method\\\"], Asset, [\\\"Last Seen\\\"]\\r\\n| order by [\\\"Last Seen\\\"] desc\",\"size\":0,\"title\":\"Infections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Vulnerabilities\"},\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c7ff4374-c346-4c43-9354-8936687c2704\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BitSightFindingsSummary\\r\\n| where todatetime(StartDate) {Timer} and Company == '{company}'\\r\\n| extend Filter = case(toreal(Severity) <= 3.9 and toreal(Severity) >= 0.0, \\\"Minor\\\", \\r\\n toreal(Severity) <= 6.9 and toreal(Severity) >= 4.0, \\\"Moderate\\\",\\r\\n toreal(Severity) <= 8.9 and toreal(Severity) >= 7.0, \\\"Material\\\",\\r\\n toreal(Severity) <= 10.0 and toreal(Severity) >= 9.0, \\\"Severe\\\",\\r\\n \\\"\\\")\\r\\n| distinct Filter\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsSummary\\r\\n| where todatetime(StartDate) {Timer} and Company == '{company}'\\r\\n| distinct Name, Severity, StartDate, EndDate, Description\\r\\n| extend [\\\"Severity Details\\\"] = case(toreal(Severity) <= 3.9 and toreal(Severity) >= 0.0, \\\"Minor\\\", \\r\\n toreal(Severity) <= 6.9 and toreal(Severity) >= 4.0, \\\"Moderate\\\",\\r\\n toreal(Severity) <= 8.9 and toreal(Severity) >= 7.0, \\\"Material\\\",\\r\\n toreal(Severity) <= 10.0 and toreal(Severity) >= 9.0, \\\"Severe\\\",\\r\\n \\\"\\\")\\r\\n| where ('*' in ({Severity}) or [\\\"Severity Details\\\"] in ({Severity}))\\r\\n| project-rename Name = Name, [\\\"Start Date\\\"] = StartDate, [\\\"End Date\\\"] = EndDate\\r\\n| project Name, [\\\"Severity Details\\\"], [\\\"Start Date\\\"], [\\\"End Date\\\"], Description\\r\\n\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"My Company\"}]},\"name\":\"Main\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-BitSightWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=BitSightWorkbook; logoFileName=BitSight.svg; description=Gain insights into BitSight data.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=BitSight; templateRelativePath=BitSightWorkbook.json; subtitle=; provider=BitSight}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "Alerts_data_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightBreaches_data_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightCompany_details_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightCompany_rating_details_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightDiligence_historical_statistics_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightDiligence_statistics_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightFindings_summary_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightFindings_data_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightGraph_data_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightIndustrial_statistics_CL", - "kind": "DataType" - }, - { - "contentId": "BitsightObservation_statistics_CL", - "kind": "DataType" - }, - { - "contentId": "BitSightDatConnector", - "kind": "DataConnector" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightDropInCompanyRatings_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Rule helps to detect when there is a drop of 10% or more in BitSight company ratings.", - "displayName": "BitSight - drop in company ratings", - "enabled": false, - "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)and toint(RatingDifferance) < 0\n| extend percentage = -(toreal(RatingDifferance)/toreal(Rating))*100\n| where percentage >= 10\n| project RatingDate, Rating, CompanyName, percentage\n", - "queryFrequency": "P1D", - "queryPeriod": "PT24H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "BitSightGraphData" - ], - "connectorId": "BitSight" - } - ], - "tactics": [ - "Reconnaissance", - "CommandAndControl" - ], - "techniques": [ - "T1591", - "T1090" - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "CompanyName": "CompanyName", - "CompanyRating": "Rating" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "BitSight : Alert for >10% drop in ratings of {{CompanyName}}.", - "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nPercentage Drop: {{percentage}}%" - }, - "incidentConfiguration": { - "createIncident": false - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "BitSight Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "BitSight - drop in company ratings", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightNewAlertFound_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Rule helps to detect a new alerts generated in BitSight.", - "displayName": "BitSight - new alert found", - "enabled": false, - "query": "let timeframe = 24h;\nBitSightAlerts\n| where ingestion_time() > ago(timeframe)\n| extend Severity = case( Severity contains \"INCREASE\", \"Low\",\n Severity contains \"WARN\" or Severity contains \"DECREASE\", \"Medium\",\n Severity contains \"CRITICAL\", \"High\",\n \"Informational\")\n| extend CompanyURL = strcat(\"https://service.bitsighttech.com/app/spm\",CompanyURL)\n| project CompanyName, Severity, Trigger, CompanyURL, AlertDate, GUID\n", - "queryFrequency": "P1D", - "queryPeriod": "PT24H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "BitSightAlerts" - ], - "connectorId": "BitSight" - } - ], - "tactics": [ - "Impact", - "InitialAccess" - ], - "techniques": [ - "T1491", - "T1190" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "CompanyURL", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "BitSight: Alert for {{Trigger}} in {{CompanyName}} from bitsight.", - "alertDescriptionFormat": "Alert generated on {{AlertDate}} in BitSight.\\n\\nCompany URL: {{CompanyURL}}\\nAlert GUID: {{GUID}}" - }, - "incidentConfiguration": { - "createIncident": false - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "BitSight Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "BitSight - new alert found", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightCompromisedSystemsDetected_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Rule helps to detect whenever there is a compromised systems found in BitSight.", - "displayName": "BitSight - compromised systems detected", - "enabled": false, - "query": "let timeframe = 24h;\nBitSightFindingsData\n| where ingestion_time() > ago(timeframe)\n| where RiskCategory == \"Compromised Systems\"\n| extend Severity = toreal(Severity)\n| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, \"Low\",\n Severity <= 8.9 and Severity >= 7.0, \"Medium\",\n Severity <= 10.0 and Severity >= 9.0, \"High\",\n \"Informational\")\n| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId\n", - "queryFrequency": "P1D", - "queryPeriod": "PT24H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "BitSightFindingsData" - ], - "connectorId": "BitSight" - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1203" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "RiskVector", - "identifier": "Name" - }, - { - "columnName": "RiskCategory", - "identifier": "Category" - } - ], - "entityType": "Malware" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight", - "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRisk Vector: {{RiskVector}}\\nTemporaryId: {{TemporaryId}}\\nRisk Category: Compromised Systems" - }, - "incidentConfiguration": { - "createIncident": true - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "BitSight Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "BitSight - compromised systems detected", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightDiligenceRiskCategoryDetected_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Rule helps to detect whenever there is a diligence risk category found in BitSight.", - "displayName": "BitSight - diligence risk category detected", - "enabled": false, - "query": "let timeframe = 24h;\nBitSightFindingsData\n| where ingestion_time() > ago(timeframe)\n| where RiskCategory == \"Diligence\"\n| extend Severity = toreal(Severity)\n| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, \"Low\",\n Severity <= 8.9 and Severity >= 7.0, \"Medium\",\n Severity <= 10.0 and Severity >= 9.0, \"High\",\n \"Informational\")\n| project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector\n", - "queryFrequency": "P1D", - "queryPeriod": "PT24H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "BitSightFindingsData" - ], - "connectorId": "BitSight" - } - ], - "tactics": [ - "Execution", - "Reconnaissance" - ], - "subTechniques": [ - "T1595.002" - ], - "techniques": [ - "T1203", - "T1595" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "RiskVector", - "identifier": "Name" - }, - { - "columnName": "RiskCategory", - "identifier": "Category" - } - ], - "entityType": "Malware" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight", - "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRisk Vector: {{RiskVector}}\\nTemporaryId: {{TemporaryId}}\\nRisk Category: Diligence" - }, - "incidentConfiguration": { - "createIncident": false - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", - "properties": { - "description": "BitSight Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "contentKind": "AnalyticsRule", - "displayName": "BitSight - diligence risk category detected", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightDropInHeadlineRating_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Rule helps to detect if headline ratings is drop in BitSight.", - "displayName": "BitSight - drop in the headline rating", - "enabled": false, - "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)\n| where toint(RatingDifferance) < 0\n| project RatingDate, Rating, CompanyName, RatingDifferance\n", - "queryFrequency": "P1D", - "queryPeriod": "PT24H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "BitSightGraphData" - ], - "connectorId": "BitSight" - } - ], - "tactics": [ - "Reconnaissance", - "CommandAndControl" - ], - "techniques": [ - "T1591", - "T1090" - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "CompanyName": "CompanyName", - "CompanyRating": "Rating" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "BitSight : Alert for drop in the headline rating of {{CompanyName}}.", - "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nRating Drop: {{RatingDifferance}}" - }, - "incidentConfiguration": { - "createIncident": false - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", - "properties": { - "description": "BitSight Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "contentKind": "AnalyticsRule", - "displayName": "BitSight - drop in the headline rating", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightNewBreachFound_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Rule helps to detect a new breach generated in BitSight.", - "displayName": "BitSight - new breach found", - "enabled": false, - "query": "let timeframe = 24h;\nBitSightBreaches\n| where ingestion_time() > ago(timeframe)\n| extend Severity = toreal(Severity)\n| extend Severity = case( Severity == 1, \"Low\",\n Severity == 2, \"Medium\",\n Severity == 3, \"High\",\n \"Informational\")\n| project DateCreated, Companyname, Severity, PreviwURL, GUID\n", - "queryFrequency": "P1D", - "queryPeriod": "PT24H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "BitSightBreaches" - ], - "connectorId": "BitSight" - } - ], - "tactics": [ - "Impact", - "InitialAccess" - ], - "techniques": [ - "T1491", - "T1190" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "PreviwURL", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "BitSight: Alert for new breach in {{Companyname}}.", - "alertDescriptionFormat": "Alert is generated on {{DateCreated}} at BitSight.\\n\\nGUID: {{GUID}}\\nPreview URL: {{PreviwURL}}" - }, - "incidentConfiguration": { - "createIncident": false - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", - "properties": { - "description": "BitSight Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "contentKind": "AnalyticsRule", - "displayName": "BitSight - new breach found", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightAlerts Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightAlerts", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightAlerts", - "query": "union isfuzzy=true\n (\n BitsightAlerts_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\",\n GUID = column_ifexists('guid', ''),\n AlertType = column_ifexists('alert_type', ''),\n AlertDate = column_ifexists('alert_date', ''),\n StartDate = column_ifexists('start_date', ''),\n CompanyName = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', ''),\n CompanyURL = column_ifexists('company_url', ''),\n FolderGUID = column_ifexists('folder_guid', ''),\n FolderName = column_ifexists('folder_name', ''),\n Severity = column_ifexists('severity', ''),\n Trigger = column_ifexists('trigger', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGUID,\n CompanyURL,\n FolderGUID,\n FolderName,\n Severity,\n Trigger\n ),\n (\n BitSightAlerts_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGuid,\n CompanyUrl,\n FolderGuid,\n FolderName,\n Severity,\n Trigger,\n AlertSetName,\n AlertSetGuid,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightAlerts')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "Parser for BitSightAlerts", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", - "version": "[variables('parserObject1').parserVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject1')._parserName1]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightAlerts", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightAlerts", - "query": "union isfuzzy=true\n (\n BitsightAlerts_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\",\n GUID = column_ifexists('guid', ''),\n AlertType = column_ifexists('alert_type', ''),\n AlertDate = column_ifexists('alert_date', ''),\n StartDate = column_ifexists('start_date', ''),\n CompanyName = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', ''),\n CompanyURL = column_ifexists('company_url', ''),\n FolderGUID = column_ifexists('folder_guid', ''),\n FolderName = column_ifexists('folder_name', ''),\n Severity = column_ifexists('severity', ''),\n Trigger = column_ifexists('trigger', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGUID,\n CompanyURL,\n FolderGUID,\n FolderName,\n Severity,\n Trigger\n ),\n (\n BitSightAlerts_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGuid,\n CompanyUrl,\n FolderGuid,\n FolderName,\n Severity,\n Trigger,\n AlertSetName,\n AlertSetGuid,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightAlerts')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject2').parserTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightBreaches Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject2').parserVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject2')._parserName2]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightBreaches", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightBreaches", - "query": "union isfuzzy=true\n (\n BitsightBreaches_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\",\n GUID = column_ifexists('guid', ''),\n Date = column_ifexists('date', ''),\n Severity = column_ifexists('severity', ''),\n Text = column_ifexists('text', ''),\n DateCreated = column_ifexists('date_created', ''),\n PreviwURL = column_ifexists('preview_url', ''),\n EventType = column_ifexists('event_type', ''),\n EventTypeDescription = column_ifexists('event_type_description', ''),\n BreachedCompanies = column_ifexists('breached_companies', ''),\n DependentCompanies = column_ifexists('dependent_companies', ''),\n Companyname = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n Date,\n Severity,\n Text,\n DateCreated,\n PreviwURL,\n EventType,\n EventTypeDescription,\n BreachedCompanies,\n DependentCompanies,\n Companyname,\n CompanyGUID\n ),\n (\n BitSightBreaches_CL\n | summarize arg_max(TimeGenerated, *) by Guid, CompanyGuid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n CompanyName,\n CompanyGuid,\n BreachDate,\n DateCreated,\n Text,\n PreviewUrl,\n EventType,\n EventTypeDescription,\n Severity,\n BreachedCompanies,\n DependentCompanies,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightBreaches')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject2').parserContentId2]", - "contentKind": "Parser", - "displayName": "Parser for BitSightBreaches", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.1.0')))]", - "version": "[variables('parserObject2').parserVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject2')._parserName2]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightBreaches", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightBreaches", - "query": "union isfuzzy=true\n (\n BitsightBreaches_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\",\n GUID = column_ifexists('guid', ''),\n Date = column_ifexists('date', ''),\n Severity = column_ifexists('severity', ''),\n Text = column_ifexists('text', ''),\n DateCreated = column_ifexists('date_created', ''),\n PreviwURL = column_ifexists('preview_url', ''),\n EventType = column_ifexists('event_type', ''),\n EventTypeDescription = column_ifexists('event_type_description', ''),\n BreachedCompanies = column_ifexists('breached_companies', ''),\n DependentCompanies = column_ifexists('dependent_companies', ''),\n Companyname = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n Date,\n Severity,\n Text,\n DateCreated,\n PreviwURL,\n EventType,\n EventTypeDescription,\n BreachedCompanies,\n DependentCompanies,\n Companyname,\n CompanyGUID\n ),\n (\n BitSightBreaches_CL\n | summarize arg_max(TimeGenerated, *) by Guid, CompanyGuid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n CompanyName,\n CompanyGuid,\n BreachDate,\n DateCreated,\n Text,\n PreviewUrl,\n EventType,\n EventTypeDescription,\n Severity,\n BreachedCompanies,\n DependentCompanies,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightBreaches')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject3').parserTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightCompanyDetails Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject3').parserVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject3')._parserName3]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightCompanyDetails", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightCompanyDetails", - "query": "union isfuzzy=true\n (\n BitsightCompany_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\",\n PrimaryCompanyGUID = column_ifexists('primary_company_guid', ''),\n PrimaryCompanyName = column_ifexists('primary_company_name', ''),\n AvailableUpgradeTypes = column_ifexists('available_upgrade_types', ''),\n BulkEmailSenderStatus = column_ifexists('bulk_email_sender_status', ''),\n CompanyFeatures = column_ifexists('company_features', ''),\n CustomerMonitoringCount = column_ifexists('customer_monitoring_count', ''),\n Description = column_ifexists('description', ''),\n DisplayURL = column_ifexists('display_url', ''),\n GUID = column_ifexists('guid', ''),\n HasCompanyTree = column_ifexists('has_company_tree', ''),\n HasPreferredContact = column_ifexists('has_preferred_contact', ''),\n Hompage = column_ifexists('homepage', ''),\n InSpmPortfolio = column_ifexists('in_spm_portfolio', ''),\n Industry = column_ifexists('industry', ''),\n IndustrySlug = column_ifexists('industry_slug', ''),\n Ipv4Count = column_ifexists('ipv4_count', ''),\n IsBundle = column_ifexists('is_bundle', ''),\n IsCsp = column_ifexists('is_csp', ''),\n IsMycompMysubsBundle = column_ifexists('is_mycomp_mysubs_bundle', ''),\n IsPrimary = column_ifexists('is_primary', ''),\n IsUnsampledAllowed = column_ifexists('is_unsampled_allowed', ''),\n Name = column_ifexists('name', ''),\n PeopleCount = column_ifexists('people_count', ''),\n PermissionCanAnnotate = column_ifexists('permissions_can_annotate', ''),\n PermissionCanDownloadCompanyReport = column_ifexists('permissions_can_download_company_report', ''),\n PermissionCanEnableVendorAccess = column_ifexists('permissions_can_enable_vendor_access', ''),\n PermissionCanViewCompanyReports = column_ifexists('permissions_can_view_company_reports', ''),\n PermissionCanViewForensics = column_ifexists('permissions_can_view_forensics', ''),\n PermissionCanViewInfrastructure = column_ifexists('permissions_can_view_infrastructure', ''),\n PermissionCanViewIpAttributions = column_ifexists('permissions_can_view_ip_attributions', ''),\n PermissionCanViewServiceProviders = column_ifexists('permissions_can_view_service_providers', ''),\n PermissionsHasControl = column_ifexists('permissions_has_control', ''),\n PrimaryDomain = column_ifexists('primary_domain', ''),\n RatingIndustryMedian = column_ifexists('rating_industry_median', ''),\n Ratings = column_ifexists('ratings', ''),\n RelatedCompanies = column_ifexists('related_companies', ''),\n SearchCount = column_ifexists('search_count', ''),\n ServiceProvider = column_ifexists('service_provider', ''),\n Shortname = column_ifexists('shortname', ''),\n Sparkline = column_ifexists('sparkline', ''),\n SubIndustry = column_ifexists('sub_industry', ''),\n SubIndustrySlug = column_ifexists('sub_industry_slug', ''),\n SubscriptionType = column_ifexists('subscription_type', ''),\n SubscriptionTypeKey = column_ifexists('subscription_type_key', ''),\n ComplianceClaimCertifications = column_ifexists('compliance_claim_certifications', ''),\n ComplianceClaimTrustPage = column_ifexists('compliance_claim_trust_page', ''),\n type = column_ifexists('type', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n PrimaryCompanyGUID,\n PrimaryCompanyName,\n AvailableUpgradeTypes,\n BulkEmailSenderStatus,\n CompanyFeatures,\n CustomerMonitoringCount,\n Description,\n DisplayURL,\n GUID,\n HasCompanyTree,\n HasPreferredContact,\n Hompage,\n InSpmPortfolio,\n Industry,\n IndustrySlug,\n Ipv4Count,\n IsBundle,\n IsCsp,\n IsMycompMysubsBundle,\n IsPrimary,\n IsUnsampledAllowed,\n Name,\n PeopleCount,\n PermissionCanAnnotate,\n PermissionCanDownloadCompanyReport,\n PermissionCanEnableVendorAccess,\n PermissionCanViewCompanyReports,\n PermissionCanViewForensics,\n PermissionCanViewInfrastructure,\n PermissionCanViewIpAttributions,\n PermissionCanViewServiceProviders,\n PermissionsHasControl,\n PrimaryDomain,\n RatingIndustryMedian,\n Ratings,\n RelatedCompanies,\n SearchCount,\n ServiceProvider,\n Shortname,\n Sparkline,\n SubIndustry,\n SubIndustrySlug,\n SubscriptionType,\n SubscriptionTypeKey,\n ComplianceClaimCertifications,\n ComplianceClaimTrustPage,\n type\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n Name,\n CompanyType,\n Shortname,\n Description,\n PrimaryDomain,\n Homepage,\n DisplayUrl,\n Sparkline,\n Industry,\n IndustrySlug,\n SubIndustry,\n SubIndustrySlug,\n Ipv4Count,\n PeopleCount,\n SearchCount,\n CustomerMonitoringCount,\n CurrentRating,\n RatingIndustryMedian,\n Ratings,\n SubscriptionType,\n SubscriptionTypeKey,\n SubscriptionEndDate,\n BulkEmailSenderStatus,\n SecurityGrade,\n ServiceProvider,\n HasCompanyTree,\n HasPreferredContact,\n IsBundle,\n IsPrimary,\n InSpmPortfolio,\n IsMycompMysubsBundle,\n IsCsp,\n HasDelegatedSecurityControls,\n CustomId,\n AvailableUpgradeTypes,\n CompanyFeatures,\n RelatedCompanies,\n PrimaryCompany,\n ComplianceClaim,\n Permissions,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyDetails')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject3').parserContentId3]", - "contentKind": "Parser", - "displayName": "Parser for BitSightCompanyDetails", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.1.0')))]", - "version": "[variables('parserObject3').parserVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject3')._parserName3]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightCompanyDetails", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightCompanyDetails", - "query": "union isfuzzy=true\n (\n BitsightCompany_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\",\n PrimaryCompanyGUID = column_ifexists('primary_company_guid', ''),\n PrimaryCompanyName = column_ifexists('primary_company_name', ''),\n AvailableUpgradeTypes = column_ifexists('available_upgrade_types', ''),\n BulkEmailSenderStatus = column_ifexists('bulk_email_sender_status', ''),\n CompanyFeatures = column_ifexists('company_features', ''),\n CustomerMonitoringCount = column_ifexists('customer_monitoring_count', ''),\n Description = column_ifexists('description', ''),\n DisplayURL = column_ifexists('display_url', ''),\n GUID = column_ifexists('guid', ''),\n HasCompanyTree = column_ifexists('has_company_tree', ''),\n HasPreferredContact = column_ifexists('has_preferred_contact', ''),\n Hompage = column_ifexists('homepage', ''),\n InSpmPortfolio = column_ifexists('in_spm_portfolio', ''),\n Industry = column_ifexists('industry', ''),\n IndustrySlug = column_ifexists('industry_slug', ''),\n Ipv4Count = column_ifexists('ipv4_count', ''),\n IsBundle = column_ifexists('is_bundle', ''),\n IsCsp = column_ifexists('is_csp', ''),\n IsMycompMysubsBundle = column_ifexists('is_mycomp_mysubs_bundle', ''),\n IsPrimary = column_ifexists('is_primary', ''),\n IsUnsampledAllowed = column_ifexists('is_unsampled_allowed', ''),\n Name = column_ifexists('name', ''),\n PeopleCount = column_ifexists('people_count', ''),\n PermissionCanAnnotate = column_ifexists('permissions_can_annotate', ''),\n PermissionCanDownloadCompanyReport = column_ifexists('permissions_can_download_company_report', ''),\n PermissionCanEnableVendorAccess = column_ifexists('permissions_can_enable_vendor_access', ''),\n PermissionCanViewCompanyReports = column_ifexists('permissions_can_view_company_reports', ''),\n PermissionCanViewForensics = column_ifexists('permissions_can_view_forensics', ''),\n PermissionCanViewInfrastructure = column_ifexists('permissions_can_view_infrastructure', ''),\n PermissionCanViewIpAttributions = column_ifexists('permissions_can_view_ip_attributions', ''),\n PermissionCanViewServiceProviders = column_ifexists('permissions_can_view_service_providers', ''),\n PermissionsHasControl = column_ifexists('permissions_has_control', ''),\n PrimaryDomain = column_ifexists('primary_domain', ''),\n RatingIndustryMedian = column_ifexists('rating_industry_median', ''),\n Ratings = column_ifexists('ratings', ''),\n RelatedCompanies = column_ifexists('related_companies', ''),\n SearchCount = column_ifexists('search_count', ''),\n ServiceProvider = column_ifexists('service_provider', ''),\n Shortname = column_ifexists('shortname', ''),\n Sparkline = column_ifexists('sparkline', ''),\n SubIndustry = column_ifexists('sub_industry', ''),\n SubIndustrySlug = column_ifexists('sub_industry_slug', ''),\n SubscriptionType = column_ifexists('subscription_type', ''),\n SubscriptionTypeKey = column_ifexists('subscription_type_key', ''),\n ComplianceClaimCertifications = column_ifexists('compliance_claim_certifications', ''),\n ComplianceClaimTrustPage = column_ifexists('compliance_claim_trust_page', ''),\n type = column_ifexists('type', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n PrimaryCompanyGUID,\n PrimaryCompanyName,\n AvailableUpgradeTypes,\n BulkEmailSenderStatus,\n CompanyFeatures,\n CustomerMonitoringCount,\n Description,\n DisplayURL,\n GUID,\n HasCompanyTree,\n HasPreferredContact,\n Hompage,\n InSpmPortfolio,\n Industry,\n IndustrySlug,\n Ipv4Count,\n IsBundle,\n IsCsp,\n IsMycompMysubsBundle,\n IsPrimary,\n IsUnsampledAllowed,\n Name,\n PeopleCount,\n PermissionCanAnnotate,\n PermissionCanDownloadCompanyReport,\n PermissionCanEnableVendorAccess,\n PermissionCanViewCompanyReports,\n PermissionCanViewForensics,\n PermissionCanViewInfrastructure,\n PermissionCanViewIpAttributions,\n PermissionCanViewServiceProviders,\n PermissionsHasControl,\n PrimaryDomain,\n RatingIndustryMedian,\n Ratings,\n RelatedCompanies,\n SearchCount,\n ServiceProvider,\n Shortname,\n Sparkline,\n SubIndustry,\n SubIndustrySlug,\n SubscriptionType,\n SubscriptionTypeKey,\n ComplianceClaimCertifications,\n ComplianceClaimTrustPage,\n type\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n Name,\n CompanyType,\n Shortname,\n Description,\n PrimaryDomain,\n Homepage,\n DisplayUrl,\n Sparkline,\n Industry,\n IndustrySlug,\n SubIndustry,\n SubIndustrySlug,\n Ipv4Count,\n PeopleCount,\n SearchCount,\n CustomerMonitoringCount,\n CurrentRating,\n RatingIndustryMedian,\n Ratings,\n SubscriptionType,\n SubscriptionTypeKey,\n SubscriptionEndDate,\n BulkEmailSenderStatus,\n SecurityGrade,\n ServiceProvider,\n HasCompanyTree,\n HasPreferredContact,\n IsBundle,\n IsPrimary,\n InSpmPortfolio,\n IsMycompMysubsBundle,\n IsCsp,\n HasDelegatedSecurityControls,\n CustomId,\n AvailableUpgradeTypes,\n CompanyFeatures,\n RelatedCompanies,\n PrimaryCompany,\n ComplianceClaim,\n Permissions,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyDetails')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject4').parserTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightCompanyRatingDetails Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject4').parserVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject4')._parserName4]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightCompanyRatingDetails", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightCompanyRatingDetails", - "query": "BitSightCompanyRatingDetails_CL\n| summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRatingDetails\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatingDetails')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject4').parserContentId4]", - "contentKind": "Parser", - "displayName": "Parser for BitSightCompanyRatingDetails", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "version": "[variables('parserObject4').parserVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject4')._parserName4]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightCompanyRatingDetails", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightCompanyRatingDetails", - "query": "BitSightCompanyRatingDetails_CL\n| summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRatingDetails\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatingDetails')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject5').parserTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightCompanyRatings Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject5').parserVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject5')._parserName5]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightCompanyRatings", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightCompanyRatings", - "query": "union isfuzzy=true\n (\n BitsightCompany_rating_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\",\n CompanyName = column_ifexists('Company_name', ''),\n Beta = column_ifexists('beta', ''),\n Category = column_ifexists('category', ''),\n CategoryOrder = column_ifexists('category_order', ''),\n DisplayURL = column_ifexists('display_url', ''),\n Grade = column_ifexists('grade', ''),\n GradeColor = column_ifexists('grade_color', ''),\n Name = column_ifexists('name', ''),\n Order = column_ifexists('order', ''),\n Percentile = column_ifexists('percentile', ''),\n Rating = column_ifexists('rating', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Beta,\n Category,\n CategoryOrder,\n DisplayURL,\n Grade,\n GradeColor,\n Name,\n Order,\n Percentile,\n Rating\n ),\n (\n BitSightCompanyRatingDetails_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatings')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject5').parserContentId5]", - "contentKind": "Parser", - "displayName": "Parser for BitSightCompanyRatings", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.1.0')))]", - "version": "[variables('parserObject5').parserVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject5')._parserName5]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightCompanyRatings", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightCompanyRatings", - "query": "union isfuzzy=true\n (\n BitsightCompany_rating_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\",\n CompanyName = column_ifexists('Company_name', ''),\n Beta = column_ifexists('beta', ''),\n Category = column_ifexists('category', ''),\n CategoryOrder = column_ifexists('category_order', ''),\n DisplayURL = column_ifexists('display_url', ''),\n Grade = column_ifexists('grade', ''),\n GradeColor = column_ifexists('grade_color', ''),\n Name = column_ifexists('name', ''),\n Order = column_ifexists('order', ''),\n Percentile = column_ifexists('percentile', ''),\n Rating = column_ifexists('rating', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Beta,\n Category,\n CategoryOrder,\n DisplayURL,\n Grade,\n GradeColor,\n Name,\n Order,\n Percentile,\n Rating\n ),\n (\n BitSightCompanyRatingDetails_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatings')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject6').parserTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightDiligenceHistoricalStatistics Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject6').parserVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject6')._parserName6]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightDiligenceHistoricalStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightDiligenceHistoricalStatistics", - "query": "union isfuzzy=true\n (\n BitsightDiligence_historical_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = column_ifexists('count', ''),\n Category = column_ifexists('category', ''),\n Date = column_ifexists('date', ''),\n CompanyName = column_ifexists('company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n Category,\n Date,\n CompanyName\n ),\n (\n BitSightDiligenceHistoricalStatistics_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RecordDate\n | mv-expand CountEntry = Counts\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = toint(CountEntry[\"count\"]),\n Category = tostring(CountEntry[\"category\"])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RecordDate,\n Grade,\n Count,\n Category,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", - "dependsOn": [ - "[variables('parserObject6')._parserId6]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceHistoricalStatistics')]", - "contentId": "[variables('parserObject6').parserContentId6]", - "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject6').parserContentId6]", - "contentKind": "Parser", - "displayName": "Parser for BitSightDiligenceHistoricalStatistics", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.1.0')))]", - "version": "[variables('parserObject6').parserVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject6')._parserName6]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightDiligenceHistoricalStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightDiligenceHistoricalStatistics", - "query": "union isfuzzy=true\n (\n BitsightDiligence_historical_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = column_ifexists('count', ''),\n Category = column_ifexists('category', ''),\n Date = column_ifexists('date', ''),\n CompanyName = column_ifexists('company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n Category,\n Date,\n CompanyName\n ),\n (\n BitSightDiligenceHistoricalStatistics_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RecordDate\n | mv-expand CountEntry = Counts\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = toint(CountEntry[\"count\"]),\n Category = tostring(CountEntry[\"category\"])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RecordDate,\n Grade,\n Count,\n Category,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", - "dependsOn": [ - "[variables('parserObject6')._parserId6]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceHistoricalStatistics')]", - "contentId": "[variables('parserObject6').parserContentId6]", - "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject7').parserTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightDiligenceStatistics Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject7').parserVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject7')._parserName7]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightDiligenceStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightDiligenceStatistics", - "query": "union isfuzzy=true\n (\n BitsightDiligence_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\",\n Unknown = column_ifexists('unknown', ''),\n Bad = column_ifexists('bad', ''),\n Warn = column_ifexists('warn', ''),\n Neutral = column_ifexists('neutral', ''),\n Fair = column_ifexists('fair', ''),\n Good = column_ifexists('good', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', ''),\n SpearPhishing = column_ifexists('spear_phishing', ''),\n BitFlip = column_ifexists('bit_flip', ''),\n TypographicalErrors = column_ifexists('typographical_errors', ''),\n TLDVariant = column_ifexists('tld_variant', ''),\n TotalCount = column_ifexists('total_count', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n RiskVector,\n CompanyName,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TLDVariant,\n TotalCount\n ),\n (\n BitSightDiligenceStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TldVariant,\n TotalCount,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", - "dependsOn": [ - "[variables('parserObject7')._parserId7]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceStatistics')]", - "contentId": "[variables('parserObject7').parserContentId7]", - "kind": "Parser", - "version": "[variables('parserObject7').parserVersion7]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject7').parserContentId7]", - "contentKind": "Parser", - "displayName": "Parser for BitSightDiligenceStatistics", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.1.0')))]", - "version": "[variables('parserObject7').parserVersion7]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject7')._parserName7]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightDiligenceStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightDiligenceStatistics", - "query": "union isfuzzy=true\n (\n BitsightDiligence_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\",\n Unknown = column_ifexists('unknown', ''),\n Bad = column_ifexists('bad', ''),\n Warn = column_ifexists('warn', ''),\n Neutral = column_ifexists('neutral', ''),\n Fair = column_ifexists('fair', ''),\n Good = column_ifexists('good', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', ''),\n SpearPhishing = column_ifexists('spear_phishing', ''),\n BitFlip = column_ifexists('bit_flip', ''),\n TypographicalErrors = column_ifexists('typographical_errors', ''),\n TLDVariant = column_ifexists('tld_variant', ''),\n TotalCount = column_ifexists('total_count', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n RiskVector,\n CompanyName,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TLDVariant,\n TotalCount\n ),\n (\n BitSightDiligenceStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TldVariant,\n TotalCount,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", - "dependsOn": [ - "[variables('parserObject7')._parserId7]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceStatistics')]", - "contentId": "[variables('parserObject7').parserContentId7]", - "kind": "Parser", - "version": "[variables('parserObject7').parserVersion7]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject8').parserTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightFindingsData Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject8').parserVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject8')._parserName8]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightFindingsData", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightFindingsData", - "query": "union isfuzzy=true\n (\n BitsightFindings_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\",\n RemediationHistoryLastRequestedRefreshDate = column_ifexists('remediation_history_last_requested_refresh_date', ''),\n RemediationHistoryLastRefreshStatusDate = column_ifexists('remediation_history_last_refresh_status_date', ''),\n RemediationHistoryLastRefreshStatusLabel = column_ifexists('remediation_history_last_refresh_status_label', ''),\n RemediationHistoryLastRefreshReasonCode = column_ifexists('remediation_history_last_refresh_reason_code', ''),\n Comments = column_ifexists('comments', ''),\n TemporaryId = column_ifexists('temporary_id', ''),\n PcapID = column_ifexists('pcap_id', ''),\n AffectsRating = column_ifexists('affects_rating', ''),\n Assets = column_ifexists('assets', ''),\n Details = column_ifexists('details', ''),\n EvidenceKey = column_ifexists('evidence_key', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n LastSeen = column_ifexists('last_seen', ''),\n RelatedFindings = column_ifexists('related_findings', ''),\n RiskCategory = column_ifexists('risk_category', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n RiskVectorLabel = column_ifexists('risk_vector_label', ''),\n RolledupObservationId = column_ifexists('rolledup_observation_id', ''),\n Severity = column_ifexists('severity', ''),\n SeverityCategory = column_ifexists('severity_category', ''),\n Tags = column_ifexists('tags', ''),\n AssetOverrides = column_ifexists('asset_overrides', ''),\n Duration = column_ifexists('duration', ''),\n AttributedCompanies = column_ifexists('attributed_companies', ''),\n CompanyName = column_ifexists('company_name', ''),\n RemainingDecay = column_ifexists('remaining_decay', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RemediationHistoryLastRequestedRefreshDate,\n RemediationHistoryLastRefreshStatusDate,\n RemediationHistoryLastRefreshStatusLabel,\n RemediationHistoryLastRefreshReasonCode,\n Comments,\n TemporaryId,\n PcapID,\n AffectsRating,\n Assets,\n Details,\n EvidenceKey,\n FirstSeen,\n LastSeen,\n RelatedFindings,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n RolledupObservationId,\n Severity,\n SeverityCategory,\n Tags,\n AssetOverrides,\n Duration,\n AttributedCompanies,\n CompanyName,\n RemainingDecay\n ),\n (\n BitSightFindings_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n TemporaryId,\n CompanyName,\n CompanyGuid,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n SeverityCategory,\n Severity,\n FirstSeen,\n LastSeen,\n CurrentlyActive,\n AssetCategory,\n Assets,\n Details,\n EvidenceKey,\n AttributedCompanies,\n RemediationHistory,\n AffectsRating,\n Comments,\n Duration,\n GracePeriodEndDate,\n GuestNetworkEndDate,\n ImpactsRiskVectorDetails,\n NoRvGradeImpactEndDate,\n RelatedFindings,\n RemainingDecay,\n Remediated,\n RolledupObservationId,\n Tags,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", - "dependsOn": [ - "[variables('parserObject8')._parserId8]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsData')]", - "contentId": "[variables('parserObject8').parserContentId8]", - "kind": "Parser", - "version": "[variables('parserObject8').parserVersion8]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject8').parserContentId8]", - "contentKind": "Parser", - "displayName": "Parser for BitSightFindingsData", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.1.0')))]", - "version": "[variables('parserObject8').parserVersion8]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject8')._parserName8]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightFindingsData", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightFindingsData", - "query": "union isfuzzy=true\n (\n BitsightFindings_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\",\n RemediationHistoryLastRequestedRefreshDate = column_ifexists('remediation_history_last_requested_refresh_date', ''),\n RemediationHistoryLastRefreshStatusDate = column_ifexists('remediation_history_last_refresh_status_date', ''),\n RemediationHistoryLastRefreshStatusLabel = column_ifexists('remediation_history_last_refresh_status_label', ''),\n RemediationHistoryLastRefreshReasonCode = column_ifexists('remediation_history_last_refresh_reason_code', ''),\n Comments = column_ifexists('comments', ''),\n TemporaryId = column_ifexists('temporary_id', ''),\n PcapID = column_ifexists('pcap_id', ''),\n AffectsRating = column_ifexists('affects_rating', ''),\n Assets = column_ifexists('assets', ''),\n Details = column_ifexists('details', ''),\n EvidenceKey = column_ifexists('evidence_key', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n LastSeen = column_ifexists('last_seen', ''),\n RelatedFindings = column_ifexists('related_findings', ''),\n RiskCategory = column_ifexists('risk_category', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n RiskVectorLabel = column_ifexists('risk_vector_label', ''),\n RolledupObservationId = column_ifexists('rolledup_observation_id', ''),\n Severity = column_ifexists('severity', ''),\n SeverityCategory = column_ifexists('severity_category', ''),\n Tags = column_ifexists('tags', ''),\n AssetOverrides = column_ifexists('asset_overrides', ''),\n Duration = column_ifexists('duration', ''),\n AttributedCompanies = column_ifexists('attributed_companies', ''),\n CompanyName = column_ifexists('company_name', ''),\n RemainingDecay = column_ifexists('remaining_decay', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RemediationHistoryLastRequestedRefreshDate,\n RemediationHistoryLastRefreshStatusDate,\n RemediationHistoryLastRefreshStatusLabel,\n RemediationHistoryLastRefreshReasonCode,\n Comments,\n TemporaryId,\n PcapID,\n AffectsRating,\n Assets,\n Details,\n EvidenceKey,\n FirstSeen,\n LastSeen,\n RelatedFindings,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n RolledupObservationId,\n Severity,\n SeverityCategory,\n Tags,\n AssetOverrides,\n Duration,\n AttributedCompanies,\n CompanyName,\n RemainingDecay\n ),\n (\n BitSightFindings_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n TemporaryId,\n CompanyName,\n CompanyGuid,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n SeverityCategory,\n Severity,\n FirstSeen,\n LastSeen,\n CurrentlyActive,\n AssetCategory,\n Assets,\n Details,\n EvidenceKey,\n AttributedCompanies,\n RemediationHistory,\n AffectsRating,\n Comments,\n Duration,\n GracePeriodEndDate,\n GuestNetworkEndDate,\n ImpactsRiskVectorDetails,\n NoRvGradeImpactEndDate,\n RelatedFindings,\n RemainingDecay,\n Remediated,\n RolledupObservationId,\n Tags,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", - "dependsOn": [ - "[variables('parserObject8')._parserId8]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsData')]", - "contentId": "[variables('parserObject8').parserContentId8]", - "kind": "Parser", - "version": "[variables('parserObject8').parserVersion8]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject9').parserTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightFindingsSummary Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject9').parserVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject9')._parserName9]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightFindingsSummary", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightFindingsSummary", - "query": "union isfuzzy=true\n (\n BitsightFindings_summary_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n Company = column_ifexists('Company', ''),\n Confidence = column_ifexists('confidence', ''),\n EndDate = column_ifexists('end_date', ''),\n EventCount = column_ifexists('event_count', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n HostCount = column_ifexists('host_count', ''),\n Id = column_ifexists('id', ''),\n Name = column_ifexists('name', ''),\n Severity = column_ifexists('severity', ''),\n StartDate = column_ifexists('start_date', ''),\n Description = column_ifexists('description', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Company,\n Confidence,\n EndDate,\n EventCount,\n FirstSeen,\n HostCount,\n Id,\n Name,\n Severity,\n StartDate,\n Description\n ),\n (\n BitSightFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, StartDate, EndDate\n | mv-expand StatEntry = Stats\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n StatName = tostring(StatEntry[\"name\"]),\n StatId = tostring(StatEntry[\"id\"]),\n Confidence = tostring(StatEntry[\"confidence\"]),\n EventCount = toint(StatEntry[\"event_count\"]),\n HostCount = toint(StatEntry[\"host_count\"]),\n FirstSeen = tostring(StatEntry[\"first_seen\"])\n | join kind=leftouter (\n BitsightVulnerabilitiesFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by DisplayName\n | project DisplayName, VulnSeverity = Severity, VulnDescription = Description\n ) on $left.StatName == $right.DisplayName\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n StartDate,\n EndDate,\n StatName,\n StatId,\n Confidence,\n EventCount,\n HostCount,\n FirstSeen,\n VulnSeverity,\n VulnDescription,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", - "dependsOn": [ - "[variables('parserObject9')._parserId9]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsSummary')]", - "contentId": "[variables('parserObject9').parserContentId9]", - "kind": "Parser", - "version": "[variables('parserObject9').parserVersion9]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject9').parserContentId9]", - "contentKind": "Parser", - "displayName": "Parser for BitSightFindingsSummary", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.1.0')))]", - "version": "[variables('parserObject9').parserVersion9]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject9')._parserName9]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightFindingsSummary", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightFindingsSummary", - "query": "union isfuzzy=true\n (\n BitsightFindings_summary_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n Company = column_ifexists('Company', ''),\n Confidence = column_ifexists('confidence', ''),\n EndDate = column_ifexists('end_date', ''),\n EventCount = column_ifexists('event_count', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n HostCount = column_ifexists('host_count', ''),\n Id = column_ifexists('id', ''),\n Name = column_ifexists('name', ''),\n Severity = column_ifexists('severity', ''),\n StartDate = column_ifexists('start_date', ''),\n Description = column_ifexists('description', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Company,\n Confidence,\n EndDate,\n EventCount,\n FirstSeen,\n HostCount,\n Id,\n Name,\n Severity,\n StartDate,\n Description\n ),\n (\n BitSightFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, StartDate, EndDate\n | mv-expand StatEntry = Stats\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n StatName = tostring(StatEntry[\"name\"]),\n StatId = tostring(StatEntry[\"id\"]),\n Confidence = tostring(StatEntry[\"confidence\"]),\n EventCount = toint(StatEntry[\"event_count\"]),\n HostCount = toint(StatEntry[\"host_count\"]),\n FirstSeen = tostring(StatEntry[\"first_seen\"])\n | join kind=leftouter (\n BitsightVulnerabilitiesFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by DisplayName\n | project DisplayName, VulnSeverity = Severity, VulnDescription = Description\n ) on $left.StatName == $right.DisplayName\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n StartDate,\n EndDate,\n StatName,\n StatId,\n Confidence,\n EventCount,\n HostCount,\n FirstSeen,\n VulnSeverity,\n VulnDescription,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", - "dependsOn": [ - "[variables('parserObject9')._parserId9]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsSummary')]", - "contentId": "[variables('parserObject9').parserContentId9]", - "kind": "Parser", - "version": "[variables('parserObject9').parserVersion9]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject10').parserTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightGraphData Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject10').parserVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject10')._parserName10]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightGraphData", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightGraphData", - "query": "union isfuzzy=true\n (\n BitsightGraph_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n RatingDate = column_ifexists('Rating_Date', ''),\n Rating = column_ifexists('Rating', ''),\n CompanyName = column_ifexists('Company_name', ''),\n RatingDifferance = column_ifexists('Rating_differance', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RatingDate,\n Rating,\n CompanyName,\n RatingDifferance\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | mv-expand RatingEntry = Ratings\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n CompanyName = Name,\n RatingDate = tostring(RatingEntry[\"rating_date\"]),\n Rating = toint(RatingEntry[\"rating\"]),\n RatingRange = tostring(RatingEntry[\"range\"]),\n RatingColor = tostring(RatingEntry[\"rating_color\"])\n | sort by Guid asc, RatingDate asc\n | serialize\n | extend\n PrevGuid = prev(Guid, 1),\n PrevRating = prev(Rating, 1)\n | extend\n RatingDifference = iff(Guid == PrevGuid, Rating - PrevRating, int(null)),\n RatingDifferance = iff(Guid == PrevGuid, Rating - PrevRating, int(null))\n | project-away PrevGuid, PrevRating\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Guid,\n RatingDate,\n Rating,\n RatingRange,\n RatingColor,\n RatingDifference,\n RatingDifferance,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", - "dependsOn": [ - "[variables('parserObject10')._parserId10]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightGraphData')]", - "contentId": "[variables('parserObject10').parserContentId10]", - "kind": "Parser", - "version": "[variables('parserObject10').parserVersion10]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject10').parserContentId10]", - "contentKind": "Parser", - "displayName": "Parser for BitSightGraphData", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.1.0')))]", - "version": "[variables('parserObject10').parserVersion10]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject10')._parserName10]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightGraphData", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightGraphData", - "query": "union isfuzzy=true\n (\n BitsightGraph_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n RatingDate = column_ifexists('Rating_Date', ''),\n Rating = column_ifexists('Rating', ''),\n CompanyName = column_ifexists('Company_name', ''),\n RatingDifferance = column_ifexists('Rating_differance', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RatingDate,\n Rating,\n CompanyName,\n RatingDifferance\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | mv-expand RatingEntry = Ratings\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n CompanyName = Name,\n RatingDate = tostring(RatingEntry[\"rating_date\"]),\n Rating = toint(RatingEntry[\"rating\"]),\n RatingRange = tostring(RatingEntry[\"range\"]),\n RatingColor = tostring(RatingEntry[\"rating_color\"])\n | sort by Guid asc, RatingDate asc\n | serialize\n | extend\n PrevGuid = prev(Guid, 1),\n PrevRating = prev(Rating, 1)\n | extend\n RatingDifference = iff(Guid == PrevGuid, Rating - PrevRating, int(null)),\n RatingDifferance = iff(Guid == PrevGuid, Rating - PrevRating, int(null))\n | project-away PrevGuid, PrevRating\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Guid,\n RatingDate,\n Rating,\n RatingRange,\n RatingColor,\n RatingDifference,\n RatingDifferance,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", - "dependsOn": [ - "[variables('parserObject10')._parserId10]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightGraphData')]", - "contentId": "[variables('parserObject10').parserContentId10]", - "kind": "Parser", - "version": "[variables('parserObject10').parserVersion10]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject11').parserTemplateSpecName11]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightIndustrialStatistics Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject11').parserVersion11]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject11')._parserName11]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightIndustrialStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightIndustrialStatistics", - "query": "union isfuzzy=true\n (\n BitsightIndustrial_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitsightIndustrialStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n IncidentCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", - "dependsOn": [ - "[variables('parserObject11')._parserId11]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightIndustrialStatistics')]", - "contentId": "[variables('parserObject11').parserContentId11]", - "kind": "Parser", - "version": "[variables('parserObject11').parserVersion11]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject11').parserContentId11]", - "contentKind": "Parser", - "displayName": "Parser for BitSightIndustrialStatistics", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.1.0')))]", - "version": "[variables('parserObject11').parserVersion11]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject11')._parserName11]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightIndustrialStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightIndustrialStatistics", - "query": "union isfuzzy=true\n (\n BitsightIndustrial_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitsightIndustrialStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n IncidentCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", - "dependsOn": [ - "[variables('parserObject11')._parserId11]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightIndustrialStatistics')]", - "contentId": "[variables('parserObject11').parserContentId11]", - "kind": "Parser", - "version": "[variables('parserObject11').parserVersion11]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject12').parserTemplateSpecName12]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightObservationStatistics Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject12').parserVersion12]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject12')._parserName12]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightObservationStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightObservationStatistics", - "query": "union isfuzzy=true\n (\n BitsightObservation_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitSightObservationStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n ObservationCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject12')._parserId12,'/'))))]", - "dependsOn": [ - "[variables('parserObject12')._parserId12]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightObservationStatistics')]", - "contentId": "[variables('parserObject12').parserContentId12]", - "kind": "Parser", - "version": "[variables('parserObject12').parserVersion12]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject12').parserContentId12]", - "contentKind": "Parser", - "displayName": "Parser for BitSightObservationStatistics", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject12').parserContentId12,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject12').parserContentId12,'-', '1.1.0')))]", - "version": "[variables('parserObject12').parserVersion12]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject12')._parserName12]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightObservationStatistics", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightObservationStatistics", - "query": "union isfuzzy=true\n (\n BitsightObservation_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitSightObservationStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n ObservationCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject12')._parserId12,'/'))))]", - "dependsOn": [ - "[variables('parserObject12')._parserId12]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightObservationStatistics')]", - "contentId": "[variables('parserObject12').parserContentId12]", - "kind": "Parser", - "version": "[variables('parserObject12').parserVersion12]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject13').parserTemplateSpecName13]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSightVulnerabilitiesFindingsSummary Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject13').parserVersion13]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject13')._parserName13]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightVulnerabilitiesFindingsSummary", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightVulnerabilitiesFindingsSummary", - "query": "BitsightVulnerabilitiesFindingsSummary_CL\n| summarize arg_max(TimeGenerated, *) by DisplayName\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"VulnerabilitiesFindingsSummary\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n DisplayName,\n Severity,\n Description,\n ConnectorName\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject13')._parserId13,'/'))))]", - "dependsOn": [ - "[variables('parserObject13')._parserId13]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightVulnerabilitiesFindingsSummary')]", - "contentId": "[variables('parserObject13').parserContentId13]", - "kind": "Parser", - "version": "[variables('parserObject13').parserVersion13]", - "source": { - "name": "BitSight", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject13').parserContentId13]", - "contentKind": "Parser", - "displayName": "Parser for BitSightVulnerabilitiesFindingsSummary", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject13').parserContentId13,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject13').parserContentId13,'-', '1.0.0')))]", - "version": "[variables('parserObject13').parserVersion13]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject13')._parserName13]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for BitSightVulnerabilitiesFindingsSummary", - "category": "Microsoft Sentinel Parser", - "functionAlias": "BitSightVulnerabilitiesFindingsSummary", - "query": "BitsightVulnerabilitiesFindingsSummary_CL\n| summarize arg_max(TimeGenerated, *) by DisplayName\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"VulnerabilitiesFindingsSummary\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n DisplayName,\n Severity,\n Description,\n ConnectorName\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject13')._parserId13,'/'))))]", - "dependsOn": [ - "[variables('parserObject13')._parserId13]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightVulnerabilitiesFindingsSummary')]", - "contentId": "[variables('parserObject13').parserContentId13]", - "kind": "Parser", - "version": "[variables('parserObject13').parserVersion13]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BitSight data connector with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Bitsight data connector (using Azure Functions)", - "publisher": "BitSight Technologies, Inc.", - "descriptionMarkdown": "The [BitSight](https://www.BitSight.com/) Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data in Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total Alerts data received", - "legend": "BitsightAlerts_data_CL", - "baseQuery": "BitsightAlerts_data_CL" - }, - { - "metricName": "Total Breaches data received", - "legend": "BitsightBreaches_data_CL", - "baseQuery": "BitsightBreaches_data_CL" - }, - { - "metricName": "Total Company Details received", - "legend": "BitsightCompany_details_CL", - "baseQuery": "BitsightCompany_details_CL" - }, - { - "metricName": "Total Company Ratings received", - "legend": "BitsightCompany_rating_details_CL", - "baseQuery": "BitsightCompany_rating_details_CL" - }, - { - "metricName": "Total Diligence Historical Statistics data received", - "legend": "BitsightDiligence_historical_statistics_CL", - "baseQuery": "BitsightDiligence_historical_statistics_CL" - }, - { - "metricName": "Total Diligence Statistics data received", - "legend": "BitsightDiligence_statistics_CL", - "baseQuery": "BitsightDiligence_statistics_CL" - }, - { - "metricName": "Total Findings data received", - "legend": "BitsightFindings_data_CL", - "baseQuery": "BitsightFindings_data_CL" - }, - { - "metricName": "Total Findings Summary data received", - "legend": "BitsightFindings_summary_CL", - "baseQuery": "BitsightFindings_summary_CL" - }, - { - "metricName": "Total Graph data received", - "legend": "BitsightGraph_data_CL", - "baseQuery": "BitsightGraph_data_CL" - }, - { - "metricName": "Total Industrial Statistics data received", - "legend": "BitsightIndustrial_statistics_CL", - "baseQuery": "BitsightIndustrial_statistics_CL" - }, - { - "metricName": "Total Observation Statistics data received", - "legend": "BitsightObservation_statistics_CL", - "baseQuery": "BitsightObservation_statistics_CL" - } - ], - "sampleQueries": [ - { - "description": "BitSight Alert Events - Alerts Event for all Companies in portfolio.", - "query": "BitsightAlerts_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Breaches Events - Breaches Event for all Companies in portfolio.", - "query": "BitsightBreaches_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Company Details Events - Company Details Event for all Companies in portfolio.", - "query": "BitsightCompany_details_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Company Ratings Events - Company Ratings Event for all Companies.", - "query": "BitsightCompany_rating_details_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Diligence Historical Statistics Events - Diligence Historical Statistics Event for all Companies.", - "query": "BitsightDiligence_historical_statistics_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Diligence Statistics Events - Diligence Statistics Event for all Companies.", - "query": "BitsightDiligence_statistics_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Findings Events - Findings Event for all Companies.", - "query": "BitsightFindings_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Findings Summary Events - Findings Summary Event for all Companies.", - "query": "BitsightFindings_summary_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Graph Events - Graph Event for all Companies.", - "query": "BitsightGraph_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Industrial Statistics Events - Industrial Statistics Event for all Companies.", - "query": "BitsightIndustrial_statistics_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Observation Statistics Events - Observation Statistics Event for all Companies.", - "query": "BitsightObservation_statistics_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "BitsightAlerts_data_CL", - "lastDataReceivedQuery": "BitsightAlerts_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightBreaches_data_CL", - "lastDataReceivedQuery": "BitsightBreaches_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightCompany_details_CL", - "lastDataReceivedQuery": "BitsightCompany_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightCompany_rating_details_CL", - "lastDataReceivedQuery": "BitsightCompany_rating_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightDiligence_historical_statistics_CL", - "lastDataReceivedQuery": "BitsightDiligence_historical_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightDiligence_statistics_CL", - "lastDataReceivedQuery": "BitsightDiligence_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightFindings_data_CL", - "lastDataReceivedQuery": "BitsightFindings_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightFindings_summary_CL", - "lastDataReceivedQuery": "BitsightFindings_summary_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightGraph_data_CL", - "lastDataReceivedQuery": "BitsightGraph_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightIndustrial_statistics_CL", - "lastDataReceivedQuery": "BitsightIndustrial_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightObservation_statistics_CL", - "lastDataReceivedQuery": "BitsightObservation_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "BitsightAlerts_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightBreaches_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightCompany_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightCompany_rating_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightDiligence_historical_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightDiligence_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightFindings_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightFindings_summary_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightGraph_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightIndustrial_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightObservation_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "BitSight API Token is required. See the documentation to [learn more](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) about API Token." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the BitSight API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Steps to Create/Get Bitsight API Token**\n\n Follow these instructions to get a BitSight API Token.\n 1. For SPM App: Refer to the [User Preference](https://service.bitsight.com/app/spm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 2. For TPRM App: Refer to the [User Preference](https://service.bitsight.com/app/tprm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 3. For Classic BitSight: Go to your [Account](https://service.bitsight.com/settings) page, \n\t\tGo to Settings > Account > API Token." - }, - { - "description": "**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" - }, - { - "description": "**STEP 3 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of BitSight Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" - }, - { - "description": "**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n" - }, - { - "description": "**STEP 5 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" - }, - { - "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the BitSight data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the BitSight API Token.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Use this method for automated deployment of the BitSight connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BitSight-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Review + create** to deploy..", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the BitSight data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-BitSight310-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. BitSightXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Save**." - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "Bitsight data connector (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Bitsight data connector (using Azure Functions)", - "publisher": "BitSight Technologies, Inc.", - "descriptionMarkdown": "The [BitSight](https://www.BitSight.com/) Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data in Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total Alerts data received", - "legend": "BitsightAlerts_data_CL", - "baseQuery": "BitsightAlerts_data_CL" - }, - { - "metricName": "Total Breaches data received", - "legend": "BitsightBreaches_data_CL", - "baseQuery": "BitsightBreaches_data_CL" - }, - { - "metricName": "Total Company Details received", - "legend": "BitsightCompany_details_CL", - "baseQuery": "BitsightCompany_details_CL" - }, - { - "metricName": "Total Company Ratings received", - "legend": "BitsightCompany_rating_details_CL", - "baseQuery": "BitsightCompany_rating_details_CL" - }, - { - "metricName": "Total Diligence Historical Statistics data received", - "legend": "BitsightDiligence_historical_statistics_CL", - "baseQuery": "BitsightDiligence_historical_statistics_CL" - }, - { - "metricName": "Total Diligence Statistics data received", - "legend": "BitsightDiligence_statistics_CL", - "baseQuery": "BitsightDiligence_statistics_CL" - }, - { - "metricName": "Total Findings data received", - "legend": "BitsightFindings_data_CL", - "baseQuery": "BitsightFindings_data_CL" - }, - { - "metricName": "Total Findings Summary data received", - "legend": "BitsightFindings_summary_CL", - "baseQuery": "BitsightFindings_summary_CL" - }, - { - "metricName": "Total Graph data received", - "legend": "BitsightGraph_data_CL", - "baseQuery": "BitsightGraph_data_CL" - }, - { - "metricName": "Total Industrial Statistics data received", - "legend": "BitsightIndustrial_statistics_CL", - "baseQuery": "BitsightIndustrial_statistics_CL" - }, - { - "metricName": "Total Observation Statistics data received", - "legend": "BitsightObservation_statistics_CL", - "baseQuery": "BitsightObservation_statistics_CL" - } - ], - "dataTypes": [ - { - "name": "BitsightAlerts_data_CL", - "lastDataReceivedQuery": "BitsightAlerts_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightBreaches_data_CL", - "lastDataReceivedQuery": "BitsightBreaches_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightCompany_details_CL", - "lastDataReceivedQuery": "BitsightCompany_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightCompany_rating_details_CL", - "lastDataReceivedQuery": "BitsightCompany_rating_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightDiligence_historical_statistics_CL", - "lastDataReceivedQuery": "BitsightDiligence_historical_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightDiligence_statistics_CL", - "lastDataReceivedQuery": "BitsightDiligence_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightFindings_data_CL", - "lastDataReceivedQuery": "BitsightFindings_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightFindings_summary_CL", - "lastDataReceivedQuery": "BitsightFindings_summary_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightGraph_data_CL", - "lastDataReceivedQuery": "BitsightGraph_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightIndustrial_statistics_CL", - "lastDataReceivedQuery": "BitsightIndustrial_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitsightObservation_statistics_CL", - "lastDataReceivedQuery": "BitsightObservation_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "BitsightAlerts_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightBreaches_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightCompany_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightCompany_rating_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightDiligence_historical_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightDiligence_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightFindings_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightFindings_summary_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightGraph_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightIndustrial_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "BitsightObservation_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "BitSight Alert Events - Alerts Event for all Companies in portfolio.", - "query": "BitsightAlerts_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Breaches Events - Breaches Event for all Companies in portfolio.", - "query": "BitsightBreaches_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Company Details Events - Company Details Event for all Companies in portfolio.", - "query": "BitsightCompany_details_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Company Ratings Events - Company Ratings Event for all Companies.", - "query": "BitsightCompany_rating_details_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Diligence Historical Statistics Events - Diligence Historical Statistics Event for all Companies.", - "query": "BitsightDiligence_historical_statistics_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Diligence Statistics Events - Diligence Statistics Event for all Companies.", - "query": "BitsightDiligence_statistics_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Findings Events - Findings Event for all Companies.", - "query": "BitsightFindings_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Findings Summary Events - Findings Summary Event for all Companies.", - "query": "BitsightFindings_summary_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Graph Events - Graph Event for all Companies.", - "query": "BitsightGraph_data_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Industrial Statistics Events - Industrial Statistics Event for all Companies.", - "query": "BitsightIndustrial_statistics_CL\n | sort by TimeGenerated desc" - }, - { - "description": "BitSight Observation Statistics Events - Observation Statistics Event for all Companies.", - "query": "BitsightObservation_statistics_CL\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "BitSight API Token is required. See the documentation to [learn more](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) about API Token." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the BitSight API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Steps to Create/Get Bitsight API Token**\n\n Follow these instructions to get a BitSight API Token.\n 1. For SPM App: Refer to the [User Preference](https://service.bitsight.com/app/spm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 2. For TPRM App: Refer to the [User Preference](https://service.bitsight.com/app/tprm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 3. For Classic BitSight: Go to your [Account](https://service.bitsight.com/settings) page, \n\t\tGo to Settings > Account > API Token." - }, - { - "description": "**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" - }, - { - "description": "**STEP 3 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of BitSight Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" - }, - { - "description": "**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n" - }, - { - "description": "**STEP 5 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" - }, - { - "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the BitSight data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the BitSight API Token.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Use this method for automated deployment of the BitSight connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BitSight-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Review + create** to deploy..", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the BitSight data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-BitSight310-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. BitSightXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Save**." - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", - "displayName": "BitSight Security Events (via Codeless Connector Framework)", - "contentKind": "DataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "BitSightEventsConnector", - "title": "BitSight Security Events (via Codeless Connector Framework)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security alerts, breaches, and findings from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. The connector monitors portfolio companies for rating changes, news alerts, data breaches, and detailed security findings across Diligence, Compromised Systems, and User Behavior risk categories. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", - "graphQueriesTableName": "BitSightAlerts", - "graphQueries": [ - { - "metricName": "Total Alerts received", - "legend": "BitSight Alerts", - "baseQuery": "{{graphQueriesTableName}}" - }, - { - "metricName": "Total Breaches received", - "legend": "BitSight Breaches", - "baseQuery": "BitSightBreaches" - }, - { - "metricName": "Total Findings received", - "legend": "BitSight Findings", - "baseQuery": "BitSightFindings" - } - ], - "sampleQueries": [ - { - "description": "Get sample of BitSight Alerts", - "query": "BitSightAlerts\n | take 10" - }, - { - "description": "Get recent high-severity alerts", - "query": "BitSightAlerts\n | where severity in ('WARN', 'CRITICAL') and TimeGenerated > ago(7d)\n | project TimeGenerated, company_name, alert_type, severity\n | order by TimeGenerated desc" - }, - { - "description": "Get sample of BitSight Findings", - "query": "BitSightFindings\n | take 10" - }, - { - "description": "Get active severe findings", - "query": "BitSightFindings\n | where currently_active == true and severity_category in ('MATERIAL', 'SEVERE')\n | project TimeGenerated, company_name, risk_vector_label, severity_category, severity, first_seen\n | order by severity desc" - }, - { - "description": "Get sample of BitSight Breaches", - "query": "BitSightBreaches\n | take 10" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightBreaches", - "lastDataReceivedQuery": "BitSightBreaches\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightFindings", - "lastDataReceivedQuery": "BitSightFindings\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true, - "action": false - } - } - ], - "customs": [ - { - "name": "BitSight API Token", - "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." - } - ] - }, - "instructionSteps": [ - { - "title": "1. Connection Management", - "description": "Manage your BitSight data stream connections", - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## BitSight Connections\n\nManage multiple BitSight data stream connections. Each connection selects a specific data type - **Alerts**, **Breaches**, or **Findings** - and assigns a **Connection Name** that is stored in the `ConnectorName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." - } - }, - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Connection Name", - "columnValue": "properties.addOnAttributes.friendlyName" - }, - { - "columnName": "Data Stream", - "columnValue": "properties.addOnAttributes.userStream" - }, - { - "columnName": "API URL", - "columnValue": "properties.request.apiEndpoint" - } - ], - "menuItems": [ - "DeleteConnector" - ] - } - }, - { - "type": "ContextPane", - "parameters": { - "isPrimary": true, - "label": "Add Connection", - "title": "Add BitSight Connection", - "subtitle": "Configure a new BitSight data stream connection", - "contextPaneType": "DataConnectorsContextPane", - "instructionSteps": [ - { - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## 1. Select Data Stream\n\nChoose which BitSight data type to collect for this connection. Create separate connections for each stream you want to ingest." - } - }, - { - "type": "Dropdown", - "parameters": { - "label": "Data Stream", - "name": "dataStream", - "options": [ - { - "key": "ALERTS", - "text": "Alerts - Rating changes and news events (BitSightAlerts)" - }, - { - "key": "BREACHES", - "text": "Breaches - Data breach events for portfolio companies (BitSightBreaches)" - }, - { - "key": "DILIGENCE", - "text": "Diligence Findings - Web, app, and network risk factors (BitSightFindings)" - }, - { - "key": "COMPROMISED_SYSTEMS", - "text": "Compromised Systems Findings - Botnet and malware activity (BitSightFindings)" - }, - { - "key": "USER_BEHAVIOR", - "text": "User Behavior Findings - Credential and employee risk activity (BitSightFindings)" - } - ], - "required": true - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 2. API Configuration" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Base URL", - "placeholder": "https://api.bitsighttech.com", - "type": "text", - "name": "bitSightApiUrl", - "validations": { - "required": true - } - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Username)", - "placeholder": "Paste your BitSight API Token", - "type": "text", - "name": "username", - "validations": { - "required": true - } - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Password)", - "placeholder": "Paste your BitSight API Token again", - "type": "password", - "name": "password", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "Both fields must contain the **same API token value**. Entering different values will cause authentication to fail.", - "visible": true, - "inline": false - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", - "visible": true, - "inline": false - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Connection Name", - "placeholder": "e.g. BitSight-Alerts-Prod", - "type": "text", - "name": "friendlyName", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "The connection name is stored in the `ConnectorName` column of every ingested record, enabling you to trace data back to this specific connection.", - "visible": true, - "inline": true - } - } - ] - } - ] - } - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "name": "BitSightEventsDCR", - "apiVersion": "2022-06-01", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", - "kind": "[variables('blanks')]", - "properties": { - "dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]", - "streamDeclarations": { - "Custom-BitSightAlerts_CL": { - "columns": [ - { - "name": "guid", - "type": "string" - }, - { - "name": "alert_type", - "type": "string" - }, - { - "name": "alert_date", - "type": "string" - }, - { - "name": "start_date", - "type": "string" - }, - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "company_url", - "type": "string" - }, - { - "name": "folder_guid", - "type": "string" - }, - { - "name": "folder_name", - "type": "string" - }, - { - "name": "severity", - "type": "string" - }, - { - "name": "trigger", - "type": "string" - }, - { - "name": "alert_set_name", - "type": "string" - }, - { - "name": "alert_set_guid", - "type": "string" - }, - { - "name": "friendlyName", - "type": "string" - } - ] - }, - "Custom-BitSightBreaches_CL": { - "columns": [ - { - "name": "company_guid", - "type": "string" - }, - { - "name": "company_name", - "type": "string" - }, - { - "name": "guid", - "type": "string" - }, - { - "name": "date", - "type": "string" - }, - { - "name": "date_created", - "type": "string" - }, - { - "name": "text", - "type": "string" - }, - { - "name": "preview_url", - "type": "string" - }, - { - "name": "event_type", - "type": "string" - }, - { - "name": "event_type_description", - "type": "string" - }, - { - "name": "severity", - "type": "int" - }, - { - "name": "breached_companies", - "type": "dynamic" - }, - { - "name": "dependent_companies", - "type": "dynamic" - }, - { - "name": "friendlyName", - "type": "string" - } - ] - }, - "Custom-BitSightFindings_CL": { - "columns": [ - { - "name": "temporary_id", - "type": "string" - }, - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "risk_category", - "type": "string" - }, - { - "name": "risk_vector", - "type": "string" - }, - { - "name": "risk_vector_label", - "type": "string" - }, - { - "name": "severity_category", - "type": "string" - }, - { - "name": "severity", - "type": "real" - }, - { - "name": "first_seen", - "type": "string" - }, - { - "name": "last_seen", - "type": "string" - }, - { - "name": "currently_active", - "type": "boolean" - }, - { - "name": "asset_category", - "type": "string" - }, - { - "name": "assets", - "type": "dynamic" - }, - { - "name": "details", - "type": "dynamic" - }, - { - "name": "evidence_key", - "type": "string" - }, - { - "name": "attributed_companies", - "type": "dynamic" - }, - { - "name": "remediation_history", - "type": "dynamic" - }, - { - "name": "affects_rating", - "type": "boolean" - }, - { - "name": "comments", - "type": "dynamic" - }, - { - "name": "duration", - "type": "int" - }, - { - "name": "grace_period_end_date", - "type": "string" - }, - { - "name": "guest_network_end_date", - "type": "string" - }, - { - "name": "impacts_risk_vector_details", - "type": "dynamic" - }, - { - "name": "no_rv_grade_impact_end_date", - "type": "string" - }, - { - "name": "related_findings", - "type": "dynamic" - }, - { - "name": "remaining_decay", - "type": "int" - }, - { - "name": "remediated", - "type": "boolean" - }, - { - "name": "rolledup_observation_id", - "type": "string" - }, - { - "name": "tags", - "type": "dynamic" - }, - { - "name": "friendlyName", - "type": "string" - } - ] - } - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-BitSightAlerts_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightAlerts_CL", - "transformKql": "source | extend TimeGenerated = iff(isnull(['alert_date']) or todatetime(['alert_date']) < ago(2d), now(), todatetime(['alert_date'])) , Guid = ['guid'] , AlertType = ['alert_type'] , AlertDate = ['alert_date'] , StartDate = ['start_date'] , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , CompanyUrl = ['company_url'] , FolderGuid = ['folder_guid'] , FolderName = ['folder_name'] , Severity = ['severity'] , Trigger = ['trigger'] , AlertSetName = ['alert_set_name'] , AlertSetGuid = ['alert_set_guid'] , ConnectorName = ['friendlyName'] | project TimeGenerated , Guid , AlertType , AlertDate , StartDate , CompanyName , CompanyGuid , CompanyUrl , FolderGuid , FolderName , Severity , Trigger , AlertSetName , AlertSetGuid , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightBreaches_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightBreaches_CL", - "transformKql": "source | extend TimeGenerated = iff(isnull(['date']) or todatetime(['date']) < ago(2d), now(), todatetime(['date'])) , CompanyGuid = ['company_guid'] , CompanyName = ['company_name'] , Guid = ['guid'] , BreachDate = ['date'] , DateCreated = ['date_created'] , Text = ['text'] , PreviewUrl = ['preview_url'] , EventType = ['event_type'] , EventTypeDescription = ['event_type_description'] , Severity = ['severity'] , BreachedCompanies = ['breached_companies'] , DependentCompanies = ['dependent_companies'] , ConnectorName = ['friendlyName'] | project TimeGenerated , CompanyGuid , CompanyName , Guid , BreachDate , DateCreated , Text , PreviewUrl , EventType , EventTypeDescription , Severity , BreachedCompanies , DependentCompanies , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightFindings_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightFindings_CL", - "transformKql": "source | extend TimeGenerated = iff(isnull(['last_seen']) or todatetime(['last_seen']) < ago(2d), now(), todatetime(['last_seen'])) , TemporaryId = ['temporary_id'] , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskCategory = ['risk_category'] , RiskVector = ['risk_vector'] , RiskVectorLabel = ['risk_vector_label'] , SeverityCategory = ['severity_category'] , Severity = ['severity'] , FirstSeen = ['first_seen'] , LastSeen = ['last_seen'] , CurrentlyActive = ['currently_active'] , AssetCategory = ['asset_category'] , Assets = ['assets'] , Details = ['details'] , EvidenceKey = ['evidence_key'] , AttributedCompanies = ['attributed_companies'] , RemediationHistory = ['remediation_history'] , AffectsRating = ['affects_rating'] , Comments = ['comments'] , Duration = ['duration'] , GracePeriodEndDate = ['grace_period_end_date'] , GuestNetworkEndDate = ['guest_network_end_date'] , ImpactsRiskVectorDetails = ['impacts_risk_vector_details'] , NoRvGradeImpactEndDate = ['no_rv_grade_impact_end_date'] , RelatedFindings = ['related_findings'] , RemainingDecay = ['remaining_decay'] , Remediated = ['remediated'] , RolledupObservationId = ['rolledup_observation_id'] , Tags = ['tags'] , ConnectorName = ['friendlyName'] | project TimeGenerated , TemporaryId , CompanyName , CompanyGuid , RiskCategory , RiskVector , RiskVectorLabel , SeverityCategory , Severity , FirstSeen , LastSeen , CurrentlyActive , AssetCategory , Assets , Details , EvidenceKey , AttributedCompanies , RemediationHistory , AffectsRating , Comments , Duration , GracePeriodEndDate , GuestNetworkEndDate , ImpactsRiskVectorDetails , NoRvGradeImpactEndDate , RelatedFindings , RemainingDecay , Remediated , RolledupObservationId , Tags , ConnectorName" - } - ] - } - }, - { - "name": "BitSightFindings_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightFindings_CL", - "description": "The BitSightFindings table contains security findings from the BitSight API including Diligence, Compromised Systems, and User Behavior findings for portfolio companies ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "TemporaryId", - "type": "string", - "description": "The temporary identifier for a finding." - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company associated with the finding." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company associated with the finding." - }, - { - "name": "RiskCategory", - "type": "string", - "description": "The risk category (e.g., Diligence, Compromised Systems, User Behavior)." - }, - { - "name": "RiskVector", - "type": "string", - "description": "The risk vector slug for this finding." - }, - { - "name": "RiskVectorLabel", - "type": "string", - "description": "Human-readable label for the risk vector." - }, - { - "name": "SeverityCategory", - "type": "string", - "description": "Severity category (MINOR, MODERATE, MATERIAL, SEVERE)." - }, - { - "name": "Severity", - "type": "real", - "description": "Numeric severity score." - }, - { - "name": "FirstSeen", - "type": "string", - "description": "Date the finding was first observed (YYYY-MM-DD)." - }, - { - "name": "LastSeen", - "type": "string", - "description": "Date the finding was most recently observed (YYYY-MM-DD)." - }, - { - "name": "CurrentlyActive", - "type": "boolean", - "description": "Indicates if the finding is currently active." - }, - { - "name": "AssetCategory", - "type": "string", - "description": "Category of the affected asset." - }, - { - "name": "Assets", - "type": "dynamic", - "description": "Array of assets associated with this finding." - }, - { - "name": "Details", - "type": "dynamic", - "description": "Detailed finding data object (CVE info, diligence annotations, remediations, etc.)." - }, - { - "name": "EvidenceKey", - "type": "string", - "description": "Key identifying the source of evidence for the finding." - }, - { - "name": "AttributedCompanies", - "type": "dynamic", - "description": "Array of companies to which this finding has been attributed." - }, - { - "name": "RemediationHistory", - "type": "dynamic", - "description": "Remediation history object (last_requested_refresh_date, last_refresh_status, etc.)." - }, - { - "name": "AffectsRating", - "type": "boolean", - "description": "Indicates whether this finding contributes to the company's overall rating." - }, - { - "name": "Comments", - "type": "dynamic", - "description": "Array of analyst comments attached to this finding." - }, - { - "name": "Duration", - "type": "int", - "description": "Number of days the finding has been active." - }, - { - "name": "GracePeriodEndDate", - "type": "string", - "description": "Date until which the finding is in a grace period and does not affect the rating (YYYY-MM-DD)." - }, - { - "name": "GuestNetworkEndDate", - "type": "string", - "description": "Date until which the finding is suppressed as a guest network (YYYY-MM-DD)." - }, - { - "name": "ImpactsRiskVectorDetails", - "type": "dynamic", - "description": "Object describing which risk vectors are impacted by this finding." - }, - { - "name": "NoRvGradeImpactEndDate", - "type": "string", - "description": "Date until which the finding has no risk vector grade impact (YYYY-MM-DD)." - }, - { - "name": "RelatedFindings", - "type": "dynamic", - "description": "Array of finding identifiers related to this finding." - }, - { - "name": "RemainingDecay", - "type": "int", - "description": "Number of days remaining in the finding's decay window." - }, - { - "name": "Remediated", - "type": "boolean", - "description": "Indicates whether this finding has been remediated." - }, - { - "name": "RolledupObservationId", - "type": "string", - "description": "Identifier of the rolled-up observation this finding belongs to." - }, - { - "name": "Tags", - "type": "dynamic", - "description": "Array of tags applied to this finding." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name assigned during connector setup." - } - ] - } - } - }, - { - "name": "BitSightCompanyDetails_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightCompanyDetails_CL", - "description": "The BitSightCompanyDetails table contains full company snapshots from the BitSight API per company GUID ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "Guid", - "type": "string", - "description": "Unique identifier (GUID) for the company in BitSight." - }, - { - "name": "Name", - "type": "string", - "description": "Name of the company." - }, - { - "name": "Shortname", - "type": "string", - "description": "Short name of the company." - }, - { - "name": "CompanyType", - "type": "string", - "description": "The type of entity (e.g., CURATED,PRIVATE)." - }, - { - "name": "Description", - "type": "string", - "description": "Description of the company." - }, - { - "name": "PrimaryDomain", - "type": "string", - "description": "Primary internet domain of the company." - }, - { - "name": "Homepage", - "type": "string", - "description": "URL of the company homepage." - }, - { - "name": "DisplayUrl", - "type": "string", - "description": "URL to the company overview page in BitSight portal." - }, - { - "name": "Sparkline", - "type": "string", - "description": "URL to the company rating sparkline image." - }, - { - "name": "Industry", - "type": "string", - "description": "Industry sector name." - }, - { - "name": "IndustrySlug", - "type": "string", - "description": "URL-friendly identifier for the industry." - }, - { - "name": "SubIndustry", - "type": "string", - "description": "Sub-industry name." - }, - { - "name": "SubIndustrySlug", - "type": "string", - "description": "URL-friendly identifier for the sub-industry." - }, - { - "name": "Ipv4Count", - "type": "int", - "description": "Number of IPv4 addresses attributed to the company." - }, - { - "name": "PeopleCount", - "type": "int", - "description": "Number of people associated with the company." - }, - { - "name": "SearchCount", - "type": "int", - "description": "Number of searches for the company." - }, - { - "name": "CustomerMonitoringCount", - "type": "int", - "description": "Number of customers monitoring this company." - }, - { - "name": "CurrentRating", - "type": "int", - "description": "Current overall BitSight security rating." - }, - { - "name": "RatingIndustryMedian", - "type": "string", - "description": "Comparison of company rating to industry median (e.g., above, below)." - }, - { - "name": "Ratings", - "type": "dynamic", - "description": "Array of historical rating snapshots, each with rating_date, rating, range, and rating_color." - }, - { - "name": "SubscriptionType", - "type": "string", - "description": "Type of BitSight subscription (e.g., Continuous Monitoring)." - }, - { - "name": "SubscriptionTypeKey", - "type": "string", - "description": "Machine-readable subscription type key." - }, - { - "name": "SubscriptionEndDate", - "type": "string", - "description": "Date the subscription ends (YYYY-MM-DD), or null." - }, - { - "name": "BulkEmailSenderStatus", - "type": "string", - "description": "Bulk email sender classification (e.g., NONE)." - }, - { - "name": "SecurityGrade", - "type": "string", - "description": "Security grade, if available." - }, - { - "name": "ServiceProvider", - "type": "boolean", - "description": "Indicates whether this company is a service provider." - }, - { - "name": "HasCompanyTree", - "type": "boolean", - "description": "Indicates whether the company has a company tree." - }, - { - "name": "HasPreferredContact", - "type": "boolean", - "description": "Indicates whether the company has a preferred contact." - }, - { - "name": "IsBundle", - "type": "boolean", - "description": "Indicates whether this is a bundle entry." - }, - { - "name": "IsPrimary", - "type": "boolean", - "description": "Indicates whether this is the primary company record." - }, - { - "name": "InSpmPortfolio", - "type": "boolean", - "description": "Indicates whether the company is in the SPM portfolio." - }, - { - "name": "IsMycompMysubsBundle", - "type": "boolean", - "description": "Indicates whether this is a my-company/my-subsidiaries bundle." - }, - { - "name": "IsCsp", - "type": "boolean", - "description": "Indicates whether the company is a cloud service provider." - }, - { - "name": "HasDelegatedSecurityControls", - "type": "boolean", - "description": "Indicates whether security controls have been delegated." - }, - { - "name": "CustomId", - "type": "dynamic", - "description": "Customer-assigned identifier for the company." - }, - { - "name": "AvailableUpgradeTypes", - "type": "dynamic", - "description": "Array of available upgrade types for this company." - }, - { - "name": "CompanyFeatures", - "type": "dynamic", - "description": "Array of feature flags enabled for the company." - }, - { - "name": "RelatedCompanies", - "type": "dynamic", - "description": "Array of related company references." - }, - { - "name": "PrimaryCompany", - "type": "dynamic", - "description": "Primary company object (guid, name), or null." - }, - { - "name": "ComplianceClaim", - "type": "dynamic", - "description": "Compliance claim object, or null." - }, - { - "name": "Permissions", - "type": "dynamic", - "description": "Object of permission flags for this company (can_annotate, can_view_forensics, etc.)." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitSightCompanyRatingDetails_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightCompanyRatingDetails_CL", - "description": "The BitSightCompanyRatingDetails table contains per-risk-vector rating breakdowns for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company." - }, - { - "name": "RiskVectorSlug", - "type": "string", - "description": "URL-friendly identifier for the risk vector (dict key — always null due to CCF JSONPath limitation; use RiskVectorLabel)." - }, - { - "name": "RiskVectorLabel", - "type": "string", - "description": "Human-readable name of the risk vector (API field: name)." - }, - { - "name": "RiskCategory", - "type": "string", - "description": "Parent risk category for the risk vector (API field: category)." - }, - { - "name": "CategoryOrder", - "type": "int", - "description": "Display order of the category." - }, - { - "name": "Rating", - "type": "int", - "description": "Numeric score for this risk vector." - }, - { - "name": "Grade", - "type": "string", - "description": "Letter grade for this risk vector." - }, - { - "name": "Percentile", - "type": "int", - "description": "Percentile rank compared to peers for this risk vector (0-100)." - }, - { - "name": "GradeColor", - "type": "string", - "description": "Hex color code associated with the grade for UI display (e.g., '#239563')." - }, - { - "name": "RiskVectorOrder", - "type": "int", - "description": "Display order of the risk vector within its category." - }, - { - "name": "DisplayUrl", - "type": "string", - "description": "URL to the risk vector detail page in BitSight portal." - }, - { - "name": "Beta", - "type": "boolean", - "description": "Indicates if this risk vector is in beta status." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitSightDiligenceHistoricalStatistics_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightDiligenceHistoricalStatistics_CL", - "description": "The BitSightDiligenceHistoricalStatistics table contains historical diligence statistics per company over time from the BitSight API ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company." - }, - { - "name": "RecordDate", - "type": "string", - "description": "The date of the historical record (YYYY-MM-DD)." - }, - { - "name": "Grade", - "type": "string", - "description": "Letter grade for this record period." - }, - { - "name": "Counts", - "type": "dynamic", - "description": "Array of per-category count objects ({ count, category }). Expanded row-per-category at query time by the KQL parser via mv-expand." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitSightDiligenceStatistics_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightDiligenceStatistics_CL", - "description": "The BitSightDiligenceStatistics table contains diligence statistics per risk vector for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company." - }, - { - "name": "RiskVector", - "type": "string", - "description": "Risk vector slug (dict key — always null due to CCF JSONPath limitation)." - }, - { - "name": "Unknown", - "type": "int", - "description": "Count of findings with unknown severity." - }, - { - "name": "Bad", - "type": "int", - "description": "Count of bad findings." - }, - { - "name": "Warn", - "type": "int", - "description": "Count of warn findings." - }, - { - "name": "Neutral", - "type": "int", - "description": "Count of neutral findings." - }, - { - "name": "Fair", - "type": "int", - "description": "Count of fair findings." - }, - { - "name": "Good", - "type": "int", - "description": "Count of good findings." - }, - { - "name": "SpearPhishing", - "type": "int", - "description": "[domain_squatting] Count of spear-phishing lookalike domains." - }, - { - "name": "BitFlip", - "type": "int", - "description": "[domain_squatting] Count of bit-flip lookalike domains." - }, - { - "name": "TypographicalErrors", - "type": "int", - "description": "[domain_squatting] Count of typographical-error lookalike domains." - }, - { - "name": "TldVariant", - "type": "int", - "description": "[domain_squatting] Count of TLD-variant lookalike domains." - }, - { - "name": "TotalCount", - "type": "int", - "description": "[domain_squatting] Total count of all lookalike domain types." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitSightFindingsSummary_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightFindingsSummary_CL", - "description": "The BitSightFindingsSummary table contains findings summary statistics per risk vector for each monitored company. Severity and description enrichment is resolved at query time by joining with BitsightVulnerabilitiesFindingsSummary on Name == DisplayName.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company associated with the findings summary." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company associated with the findings summary." - }, - { - "name": "StartDate", - "type": "string", - "description": "Start date of the reporting period (YYYY-MM-DD)." - }, - { - "name": "EndDate", - "type": "string", - "description": "End date of the reporting period (YYYY-MM-DD)." - }, - { - "name": "Stats", - "type": "dynamic", - "description": "Array of per-stat objects. Expanded row-per-stat at query time by the KQL parser via mv-expand into Name, StatId, Confidence, EventCount, HostCount, FirstSeen columns." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitsightIndustrialStatistics_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitsightIndustrialStatistics_CL", - "description": "The BitsightIndustrialStatistics table contains industry peer comparison statistics per risk vector for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company." - }, - { - "name": "RiskVector", - "type": "string", - "description": "Risk vector slug (dict key — always null due to CCF JSONPath limitation)." - }, - { - "name": "IncidentCount", - "type": "int", - "description": "Number of incidents for this risk vector in the industry over the measured period." - }, - { - "name": "CountPeriod", - "type": "string", - "description": "Measurement period (e.g., 'year')." - }, - { - "name": "AverageDurationDays", - "type": "real", - "description": "Average duration in days for incidents of this risk vector in the industry." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitSightObservationStatistics_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightObservationStatistics_CL", - "description": "The BitSightObservationStatistics table contains observations statistics per risk vector for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company." - }, - { - "name": "RiskVector", - "type": "string", - "description": "Risk vector slug (dict key — always null due to CCF JSONPath limitation)." - }, - { - "name": "ObservationCount", - "type": "int", - "description": "Total number of observations for this risk vector in the measurement period." - }, - { - "name": "CountPeriod", - "type": "string", - "description": "Measurement period (e.g., 'year')." - }, - { - "name": "AverageDurationDays", - "type": "real", - "description": "Average duration in days for observations." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitsightVulnerabilitiesFindingsSummary_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitsightVulnerabilitiesFindingsSummary_CL", - "description": "The BitsightVulnerabilitiesFindingsSummary table contains vulnerability reference data from the BitSight defaults API. Used at query time to enrich BitSightFindingsSummary with Severity and Description via the KQL parser.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "Name", - "type": "string", - "description": "Slug identifier for the vulnerability type (e.g., 'patching_cadence')." - }, - { - "name": "DisplayName", - "type": "string", - "description": "Human-readable name of the vulnerability type." - }, - { - "name": "Description", - "type": "string", - "description": "Description of what the vulnerability type measures." - }, - { - "name": "Severity", - "type": "string", - "description": "Severity level of the vulnerability type (e.g., 'high', 'medium', 'low')." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - }, - { - "name": "BitSightAlerts_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightAlerts_CL", - "description": "The BitSightAlerts table contains alert records from the BitSight API representing changes and news triggers for monitored portfolio companies ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "Guid", - "type": "string", - "description": "Unique identifier of the alert." - }, - { - "name": "AlertType", - "type": "string", - "description": "The type of alert (e.g., THIRD_PARTY_INTEL)." - }, - { - "name": "AlertDate", - "type": "string", - "description": "The date the alert was triggered (YYYY-MM-DD)." - }, - { - "name": "StartDate", - "type": "string", - "description": "The start date of the alert (YYYY-MM-DD)." - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company associated with the alert." - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company associated with the alert." - }, - { - "name": "CompanyUrl", - "type": "string", - "description": "URL of the company associated with the alert." - }, - { - "name": "FolderGuid", - "type": "string", - "description": "Folder GUID associated with the alert." - }, - { - "name": "FolderName", - "type": "string", - "description": "Folder name associated with the alert." - }, - { - "name": "Severity", - "type": "string", - "description": "Alert severity level (e.g., INFORMATIONAL)." - }, - { - "name": "Trigger", - "type": "string", - "description": "What triggered the alert." - }, - { - "name": "AlertSetName", - "type": "string", - "description": "Name of the alert set." - }, - { - "name": "AlertSetGuid", - "type": "string", - "description": "GUID of the alert set." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name assigned during connector setup." - } - ] - } - } - }, - { - "name": "BitSightBreaches_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitSightBreaches_CL", - "description": "The BitSightBreaches table contains data breach records from the BitSight API for monitored portfolio companies ingested into Microsoft Sentinel.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "CompanyGuid", - "type": "string", - "description": "GUID of the company that experienced the breach (enriched)." - }, - { - "name": "CompanyName", - "type": "string", - "description": "Name of the company that experienced the breach (enriched)." - }, - { - "name": "Guid", - "type": "string", - "description": "Unique identifier of the breach event." - }, - { - "name": "BreachDate", - "type": "string", - "description": "Date the breach event was recorded (YYYY-MM-DD)." - }, - { - "name": "DateCreated", - "type": "string", - "description": "Date this breach record was created in BitSight." - }, - { - "name": "Text", - "type": "string", - "description": "Description of the breach event." - }, - { - "name": "PreviewUrl", - "type": "string", - "description": "URL to a preview article about the breach." - }, - { - "name": "EventType", - "type": "string", - "description": "Breach event category (e.g., Human Error, Hacking)." - }, - { - "name": "EventTypeDescription", - "type": "string", - "description": "Detailed description of the breach event type." - }, - { - "name": "Severity", - "type": "int", - "description": "Numeric severity level of the breach." - }, - { - "name": "BreachedCompanies", - "type": "dynamic", - "description": "Array of companies directly affected by the breach." - }, - { - "name": "DependentCompanies", - "type": "dynamic", - "description": "Array of dependent companies impacted by this breach." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name assigned during connector setup." - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "BitSightEventsConnector", - "title": "BitSight Security Events (via Codeless Connector Framework)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security alerts, breaches, and findings from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. The connector monitors portfolio companies for rating changes, news alerts, data breaches, and detailed security findings across Diligence, Compromised Systems, and User Behavior risk categories. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", - "graphQueriesTableName": "BitSightAlerts", - "graphQueries": [ - { - "metricName": "Total Alerts received", - "legend": "BitSight Alerts", - "baseQuery": "{{graphQueriesTableName}}" - }, - { - "metricName": "Total Breaches received", - "legend": "BitSight Breaches", - "baseQuery": "BitSightBreaches" - }, - { - "metricName": "Total Findings received", - "legend": "BitSight Findings", - "baseQuery": "BitSightFindings" - } - ], - "sampleQueries": [ - { - "description": "Get sample of BitSight Alerts", - "query": "BitSightAlerts\n | take 10" - }, - { - "description": "Get recent high-severity alerts", - "query": "BitSightAlerts\n | where severity in ('WARN', 'CRITICAL') and TimeGenerated > ago(7d)\n | project TimeGenerated, company_name, alert_type, severity\n | order by TimeGenerated desc" - }, - { - "description": "Get sample of BitSight Findings", - "query": "BitSightFindings\n | take 10" - }, - { - "description": "Get active severe findings", - "query": "BitSightFindings\n | where currently_active == true and severity_category in ('MATERIAL', 'SEVERE')\n | project TimeGenerated, company_name, risk_vector_label, severity_category, severity, first_seen\n | order by severity desc" - }, - { - "description": "Get sample of BitSight Breaches", - "query": "BitSightBreaches\n | take 10" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightBreaches", - "lastDataReceivedQuery": "BitSightBreaches\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightFindings", - "lastDataReceivedQuery": "BitSightFindings\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true, - "action": false - } - } - ], - "customs": [ - { - "name": "BitSight API Token", - "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." - } - ] - }, - "instructionSteps": [ - { - "title": "1. Connection Management", - "description": "Manage your BitSight data stream connections", - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## BitSight Connections\n\nManage multiple BitSight data stream connections. Each connection selects a specific data type - **Alerts**, **Breaches**, or **Findings** - and assigns a **Connection Name** that is stored in the `ConnectorName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." - } - }, - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Connection Name", - "columnValue": "properties.addOnAttributes.friendlyName" - }, - { - "columnName": "Data Stream", - "columnValue": "properties.addOnAttributes.userStream" - }, - { - "columnName": "API URL", - "columnValue": "properties.request.apiEndpoint" - } - ], - "menuItems": [ - "DeleteConnector" - ] - } - }, - { - "type": "ContextPane", - "parameters": { - "isPrimary": true, - "label": "Add Connection", - "title": "Add BitSight Connection", - "subtitle": "Configure a new BitSight data stream connection", - "contextPaneType": "DataConnectorsContextPane", - "instructionSteps": [ - { - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## 1. Select Data Stream\n\nChoose which BitSight data type to collect for this connection. Create separate connections for each stream you want to ingest." - } - }, - { - "type": "Dropdown", - "parameters": { - "label": "Data Stream", - "name": "dataStream", - "options": [ - { - "key": "ALERTS", - "text": "Alerts - Rating changes and news events (BitSightAlerts)" - }, - { - "key": "BREACHES", - "text": "Breaches - Data breach events for portfolio companies (BitSightBreaches)" - }, - { - "key": "DILIGENCE", - "text": "Diligence Findings - Web, app, and network risk factors (BitSightFindings)" - }, - { - "key": "COMPROMISED_SYSTEMS", - "text": "Compromised Systems Findings - Botnet and malware activity (BitSightFindings)" - }, - { - "key": "USER_BEHAVIOR", - "text": "User Behavior Findings - Credential and employee risk activity (BitSightFindings)" - } - ], - "required": true - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 2. API Configuration" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Base URL", - "placeholder": "https://api.bitsighttech.com", - "type": "text", - "name": "bitSightApiUrl", - "validations": { - "required": true - } - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Username)", - "placeholder": "Paste your BitSight API Token", - "type": "text", - "name": "username", - "validations": { - "required": true - } - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Password)", - "placeholder": "Paste your BitSight API Token again", - "type": "password", - "name": "password", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "Both fields must contain the **same API token value**. Entering different values will cause authentication to fail.", - "visible": true, - "inline": false - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", - "visible": true, - "inline": false - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Connection Name", - "placeholder": "e.g. BitSight-Alerts-Prod", - "type": "text", - "name": "friendlyName", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "The connection name is stored in the `ConnectorName` column of every ingested record, enabling you to trace data back to this specific connection.", - "visible": true, - "inline": true - } - } - ] - } - ] - } - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "displayName": "BitSight Security Events (via Codeless Connector Framework)", - "contentKind": "ResourcesDataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": { - "guidValue": { - "defaultValue": "[[newGuid()]", - "type": "securestring" - }, - "innerWorkspace": { - "defaultValue": "[parameters('workspace')]", - "type": "securestring" - }, - "connectorDefinitionName": { - "defaultValue": "BitSight Security Events (via Codeless Connector Framework)", - "type": "securestring", - "minLength": 1 - }, - "workspace": { - "defaultValue": "[parameters('workspace')]", - "type": "securestring" - }, - "dcrConfig": { - "defaultValue": { - "dataCollectionEndpoint": "data collection Endpoint", - "dataCollectionRuleImmutableId": "data collection rule immutableId" - }, - "type": "object" - }, - "dataStream": { - "defaultValue": "dataStream", - "type": "array" - }, - "bitSightApiUrl": { - "defaultValue": "bitSightApiUrl", - "type": "securestring", - "minLength": 1 - }, - "username": { - "defaultValue": "username", - "type": "securestring", - "minLength": 1 - }, - "password": { - "defaultValue": "password", - "type": "securestring", - "minLength": 1 - }, - "friendlyName": { - "defaultValue": "friendlyName", - "type": "securestring", - "minLength": 1 - } - }, - "variables": { - "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" - }, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "kind": "ResourcesDataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightAlerts' , uniqueString(parameters('friendlyName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/v2/alerts/')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 30, - "queryTimeFormat": "yyyy-MM-dd", - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "sort": "alert_date", - "alert_date_gte": "{_QueryWindowStartTime}", - "alert_date_lte": "{_QueryWindowEndTime}" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 1000, - "pageSizeParameterName": "limit" - }, - "connectorDefinitionName": "BitSightEventsConnector", - "dataType": "BitSightAlerts", - "dcrConfig": { - "streamName": "Custom-BitSightAlerts_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "friendlyName": "[[parameters('friendlyName')]", - "userStream": "ALERTS" - } - }, - "condition": "[[equals(parameters('dataStream')[0], 'ALERTS')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightBreaches' , uniqueString(parameters('friendlyName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_company_breaches", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_company_breaches": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/v1/companies/$company_guid_PlaceHolder$/providers/breaches')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "queryTimeFormat": "yyyy-MM-dd", - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "date_created_gte": "{_QueryWindowStartTime}", - "date_created_lte": "{_QueryWindowEndTime}" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParaName": "limit" - } - } - }, - "connectorDefinitionName": "BitSightEventsConnector", - "dataType": "BitSightBreaches", - "dcrConfig": { - "streamName": "Custom-BitSightBreaches_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "friendlyName": "[[parameters('friendlyName')]", - "userStream": "BREACHES" - } - }, - "condition": "[[equals(parameters('dataStream')[0], 'BREACHES')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindings' , uniqueString(parameters('friendlyName')), uniqueString('Diligence') )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_company_findings", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_company_findings": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "queryTimeFormat": "yyyy-MM-dd", - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "sort": "last_seen", - "expand": "attributed_companies", - "risk_category": "Diligence", - "last_seen_gte": "{_QueryWindowStartTime}", - "last_seen_lte": "{_QueryWindowEndTime}" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 1000, - "pageSizeParaName": "limit" - } - } - }, - "connectorDefinitionName": "BitSightEventsConnector", - "dataType": "BitSightFindings", - "dcrConfig": { - "streamName": "Custom-BitSightFindings_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "userStream": "DILIGENCE", - "friendlyName": "[[parameters('friendlyName')]" - } - }, - "condition": "[[equals(parameters('dataStream')[0], 'DILIGENCE')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindings' , uniqueString(parameters('friendlyName')), uniqueString('Compromised Systems') )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_company_findings", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_company_findings": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "queryTimeFormat": "yyyy-MM-dd", - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "sort": "last_seen", - "expand": "attributed_companies", - "risk_category": "Compromised Systems", - "last_seen_gte": "{_QueryWindowStartTime}", - "last_seen_lte": "{_QueryWindowEndTime}" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 1000, - "pageSizeParaName": "limit" - } - } - }, - "connectorDefinitionName": "BitSightEventsConnector", - "dataType": "BitSightFindings", - "dcrConfig": { - "streamName": "Custom-BitSightFindings_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "userStream": "COMPROMISED_SYSTEMS", - "friendlyName": "[[parameters('friendlyName')]" - } - }, - "condition": "[[equals(parameters('dataStream')[0], 'COMPROMISED_SYSTEMS')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindings' , uniqueString(parameters('friendlyName')), uniqueString('User Behavior') )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_company_findings", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_company_findings": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "queryTimeFormat": "yyyy-MM-dd", - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "sort": "last_seen", - "expand": "attributed_companies", - "risk_category": "User Behavior", - "last_seen_gte": "{_QueryWindowStartTime}", - "last_seen_lte": "{_QueryWindowEndTime}" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 1000, - "pageSizeParaName": "limit" - } - } - }, - "connectorDefinitionName": "BitSightEventsConnector", - "dataType": "BitSightFindings", - "dcrConfig": { - "streamName": "Custom-BitSightFindings_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "userStream": "USER_BEHAVIOR", - "friendlyName": "[[parameters('friendlyName')]" - } - }, - "condition": "[[equals(parameters('dataStream')[0], 'USER_BEHAVIOR')]" - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition3'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", - "displayName": "BitSight Security Statistics (via Codeless Connector Framework)", - "contentKind": "DataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "BitSightStatisticsConnector", - "title": "BitSight Security Statistics (via Codeless Connector Framework)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security statistics, company profiles, rating details, diligence history, risk vector statistics, and vulnerability data from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", - "graphQueriesTableName": "BitSightCompanyDetails", - "graphQueries": [ - { - "metricName": "Total Company Detail records received", - "legend": "BitSight Company Details", - "baseQuery": "{{graphQueriesTableName}}" - }, - { - "metricName": "Total Company Rating Details received", - "legend": "BitSight Company Rating Details", - "baseQuery": "BitSightCompanyRatingDetails" - }, - { - "metricName": "Total Diligence Historical Statistics received", - "legend": "BitSight Diligence Historical Statistics", - "baseQuery": "BitSightDiligenceHistoricalStatistics" - }, - { - "metricName": "Total Diligence Statistics received", - "legend": "BitSight Diligence Statistics", - "baseQuery": "BitSightDiligenceStatistics" - }, - { - "metricName": "Total Observations Statistics received", - "legend": "BitSight Observations Statistics", - "baseQuery": "BitSightObservationStatistics" - }, - { - "metricName": "Total Industries Statistics received", - "legend": "BitSight Industries Statistics", - "baseQuery": "BitsightIndustrialStatistics" - }, - { - "metricName": "Total Findings Summary records received", - "legend": "BitSight Findings Summary", - "baseQuery": "BitSightFindingsSummary" - }, - { - "metricName": "Total Vulnerabilities received", - "legend": "BitSight Vulnerabilities", - "baseQuery": "BitsightVulnerabilitiesFindingsSummary" - } - ], - "sampleQueries": [ - { - "description": "Get sample of BitSight Company Details", - "query": "{{graphQueriesTableName}}\n | take 10" - }, - { - "description": "Get company security ratings over time", - "query": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(90d)\n | summarize LatestRating = arg_max(TimeGenerated, CurrentRating) by Name\n | order by LatestRating asc" - }, - { - "description": "Get sample of BitSight Company Rating Details", - "query": "BitSightCompanyRatingDetails\n | take 10" - }, - { - "description": "Get findings summary with latest data per company/stat", - "query": "BitSightFindingsSummary\n | where TimeGenerated > ago(1d)\n | take 10" - }, - { - "description": "Get sample of BitSight Vulnerabilities", - "query": "BitsightVulnerabilitiesFindingsSummary\n | take 10" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightCompanyRatingDetails", - "lastDataReceivedQuery": "BitSightCompanyRatingDetails\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightFindingsSummary", - "lastDataReceivedQuery": "BitSightFindingsSummary\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightDiligenceHistoricalStatistics", - "lastDataReceivedQuery": "BitSightDiligenceHistoricalStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitSightDiligenceStatistics", - "lastDataReceivedQuery": "BitSightDiligenceStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitSightObservationStatistics", - "lastDataReceivedQuery": "BitSightObservationStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitsightIndustrialStatistics", - "lastDataReceivedQuery": "BitsightIndustrialStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitsightVulnerabilitiesFindingsSummary", - "lastDataReceivedQuery": "BitsightVulnerabilitiesFindingsSummary\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true, - "action": false - } - } - ], - "customs": [ - { - "name": "BitSight API Token", - "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." - } - ] - }, - "instructionSteps": [ - { - "title": "1. Connection Management", - "description": "Manage your BitSight statistics data stream connections", - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## BitSight Statistics Connections\n\nManage multiple BitSight statistics connections. Each connection selects one or more **data streams** to ingest and assigns a **Connection Name** stored in the `connectionName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." - } - }, - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Connection Name", - "columnValue": "properties.addOnAttributes.connectionName" - }, - { - "columnName": "Active Streams", - "columnValue": "properties.addOnAttributes.streams" - }, - { - "columnName": "API URL", - "columnValue": "properties.request.apiEndpoint" - } - ], - "menuItems": [ - "DeleteConnector" - ] - } - }, - { - "type": "ContextPane", - "parameters": { - "isPrimary": true, - "label": "Add Connection", - "title": "Add BitSight Statistics Connection", - "subtitle": "Configure a new BitSight statistics connection", - "contextPaneType": "DataConnectorsContextPane", - "instructionSteps": [ - { - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## 1. Select Data Streams\n\nChoose which BitSight statistics data types to collect for this connection. You can select multiple streams." - } - }, - { - "type": "Dropdown", - "parameters": { - "label": "Data Streams", - "name": "streams", - "options": [ - { - "key": "FindingsSummary", - "text": "FindingsSummary" - }, - { - "key": "CompanyDetails", - "text": "CompanyDetails" - }, - { - "key": "CompanyRatingDetails", - "text": "CompanyRatingDetails" - }, - { - "key": "DiligenceHistoricalStatistics", - "text": "DiligenceHistoricalStatistics" - }, - { - "key": "RiskVectorStatistics", - "text": "RiskVectorStatistics" - }, - { - "key": "IndustriesStatistics", - "text": "IndustriesStatistics" - }, - { - "key": "Vulnerabilities", - "text": "Vulnerabilities" - }, - { - "key": "ObservationsStatistics", - "text": "ObservationsStatistics" - } - ], - "isMultiSelect": true, - "defaultAllSelected": false, - "required": true - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 2. API Configuration" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Base URL", - "placeholder": "https://api.bitsighttech.com", - "type": "text", - "name": "bitSightApiUrl", - "validations": { - "required": true - } - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Username)", - "placeholder": "Paste your BitSight API Token", - "type": "text", - "name": "username", - "validations": { - "required": true - } - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Password)", - "placeholder": "Paste your BitSight API Token again", - "type": "password", - "name": "password", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", - "visible": true, - "inline": false - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Connection Name", - "placeholder": "e.g. BitSight-Statistics-Prod", - "type": "text", - "name": "connectionName", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "The connection name is stored in the `connectionName` column of every ingested record, enabling you to trace data back to this specific connection.", - "visible": true, - "inline": true - } - } - ] - } - ] - } - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections3')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "name": "BitSightStatisticsDCR", - "apiVersion": "2022-06-01", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", - "kind": "[variables('blanks')]", - "properties": { - "dataCollectionEndpointId": "[variables('dataCollectionEndpointId3')]", - "streamDeclarations": { - "Custom-BitSightFindingsSummary_CL": { - "columns": [ - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "start_date", - "type": "string" - }, - { - "name": "end_date", - "type": "string" - }, - { - "name": "stats", - "type": "dynamic" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitSightCompanyDetails_CL": { - "columns": [ - { - "name": "guid", - "type": "string" - }, - { - "name": "name", - "type": "string" - }, - { - "name": "shortname", - "type": "string" - }, - { - "name": "type", - "type": "string" - }, - { - "name": "description", - "type": "string" - }, - { - "name": "primary_domain", - "type": "string" - }, - { - "name": "homepage", - "type": "string" - }, - { - "name": "display_url", - "type": "string" - }, - { - "name": "sparkline", - "type": "string" - }, - { - "name": "industry", - "type": "string" - }, - { - "name": "industry_slug", - "type": "string" - }, - { - "name": "sub_industry", - "type": "string" - }, - { - "name": "sub_industry_slug", - "type": "string" - }, - { - "name": "ipv4_count", - "type": "int" - }, - { - "name": "people_count", - "type": "int" - }, - { - "name": "search_count", - "type": "int" - }, - { - "name": "customer_monitoring_count", - "type": "int" - }, - { - "name": "current_rating", - "type": "int" - }, - { - "name": "rating_industry_median", - "type": "string" - }, - { - "name": "ratings", - "type": "dynamic" - }, - { - "name": "subscription_type", - "type": "string" - }, - { - "name": "subscription_type_key", - "type": "string" - }, - { - "name": "subscription_end_date", - "type": "string" - }, - { - "name": "bulk_email_sender_status", - "type": "string" - }, - { - "name": "security_grade", - "type": "string" - }, - { - "name": "service_provider", - "type": "boolean" - }, - { - "name": "has_company_tree", - "type": "boolean" - }, - { - "name": "has_preferred_contact", - "type": "boolean" - }, - { - "name": "is_bundle", - "type": "boolean" - }, - { - "name": "is_primary", - "type": "boolean" - }, - { - "name": "in_spm_portfolio", - "type": "boolean" - }, - { - "name": "is_mycomp_mysubs_bundle", - "type": "boolean" - }, - { - "name": "is_csp", - "type": "boolean" - }, - { - "name": "has_delegated_security_controls", - "type": "boolean" - }, - { - "name": "custom_id", - "type": "dynamic" - }, - { - "name": "available_upgrade_types", - "type": "dynamic" - }, - { - "name": "company_features", - "type": "dynamic" - }, - { - "name": "related_companies", - "type": "dynamic" - }, - { - "name": "primary_company", - "type": "dynamic" - }, - { - "name": "compliance_claim", - "type": "dynamic" - }, - { - "name": "permissions", - "type": "dynamic" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitSightCompanyRatingDetails_CL": { - "columns": [ - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "risk_vector_slug", - "type": "string" - }, - { - "name": "name", - "type": "string" - }, - { - "name": "category", - "type": "string" - }, - { - "name": "category_order", - "type": "int" - }, - { - "name": "rating", - "type": "int" - }, - { - "name": "grade", - "type": "string" - }, - { - "name": "percentile", - "type": "int" - }, - { - "name": "grade_color", - "type": "string" - }, - { - "name": "order", - "type": "int" - }, - { - "name": "display_url", - "type": "string" - }, - { - "name": "beta", - "type": "boolean" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitSightDiligenceHistoricalStatistics_CL": { - "columns": [ - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "date", - "type": "string" - }, - { - "name": "grade", - "type": "string" - }, - { - "name": "counts", - "type": "dynamic" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitSightDiligenceStatistics_CL": { - "columns": [ - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "risk_vector", - "type": "string" - }, - { - "name": "unknown", - "type": "int" - }, - { - "name": "bad", - "type": "int" - }, - { - "name": "warn", - "type": "int" - }, - { - "name": "neutral", - "type": "int" - }, - { - "name": "fair", - "type": "int" - }, - { - "name": "good", - "type": "int" - }, - { - "name": "spear_phishing", - "type": "int" - }, - { - "name": "bit_flip", - "type": "int" - }, - { - "name": "typographical_errors", - "type": "int" - }, - { - "name": "tld_variant", - "type": "int" - }, - { - "name": "total_count", - "type": "int" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitSightObservationStatistics_CL": { - "columns": [ - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "risk_vector", - "type": "string" - }, - { - "name": "count", - "type": "int" - }, - { - "name": "count_period", - "type": "string" - }, - { - "name": "average_duration_days", - "type": "real" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitsightVulnerabilitiesFindingsSummary_CL": { - "columns": [ - { - "name": "name", - "type": "string" - }, - { - "name": "display_name", - "type": "string" - }, - { - "name": "description", - "type": "string" - }, - { - "name": "severity", - "type": "string" - }, - { - "name": "connectionName", - "type": "string" - } - ] - }, - "Custom-BitsightIndustrialStatistics_CL": { - "columns": [ - { - "name": "company_name", - "type": "string" - }, - { - "name": "company_guid", - "type": "string" - }, - { - "name": "risk_vector", - "type": "string" - }, - { - "name": "count", - "type": "int" - }, - { - "name": "count_period", - "type": "string" - }, - { - "name": "average_duration_days", - "type": "real" - }, - { - "name": "connectionName", - "type": "string" - } - ] - } - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-BitSightFindingsSummary_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightFindingsSummary_CL", - "transformKql": "source | extend TimeGenerated = iff(isnull(['end_date']) or todatetime(['end_date']) < ago(2d), now(), todatetime(['end_date'])) , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , StartDate = ['start_date'] , EndDate = ['end_date'] , Stats = ['stats'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , StartDate , EndDate , Stats , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightCompanyDetails_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightCompanyDetails_CL", - "transformKql": "source | extend TimeGenerated = now() , Guid = ['guid'] , Name = ['name'] , Shortname = ['shortname'] , CompanyType = ['type'] , Description = ['description'] , PrimaryDomain = ['primary_domain'] , Homepage = ['homepage'] , DisplayUrl = ['display_url'] , Sparkline = ['sparkline'] , Industry = ['industry'] , IndustrySlug = ['industry_slug'] , SubIndustry = ['sub_industry'] , SubIndustrySlug = ['sub_industry_slug'] , Ipv4Count = ['ipv4_count'] , PeopleCount = ['people_count'] , SearchCount = ['search_count'] , CustomerMonitoringCount = ['customer_monitoring_count'] , CurrentRating = ['current_rating'] , RatingIndustryMedian = ['rating_industry_median'] , Ratings = ['ratings'] , SubscriptionType = ['subscription_type'] , SubscriptionTypeKey = ['subscription_type_key'] , SubscriptionEndDate = ['subscription_end_date'] , BulkEmailSenderStatus = ['bulk_email_sender_status'] , SecurityGrade = ['security_grade'] , ServiceProvider = ['service_provider'] , HasCompanyTree = ['has_company_tree'] , HasPreferredContact = ['has_preferred_contact'] , IsBundle = ['is_bundle'] , IsPrimary = ['is_primary'] , InSpmPortfolio = ['in_spm_portfolio'] , IsMycompMysubsBundle = ['is_mycomp_mysubs_bundle'] , IsCsp = ['is_csp'] , HasDelegatedSecurityControls = ['has_delegated_security_controls'] , CustomId = ['custom_id'] , AvailableUpgradeTypes = ['available_upgrade_types'] , CompanyFeatures = ['company_features'] , RelatedCompanies = ['related_companies'] , PrimaryCompany = ['primary_company'] , ComplianceClaim = ['compliance_claim'] , Permissions = ['permissions'] , ConnectorName = ['connectionName'] | project TimeGenerated , Guid , Name , Shortname , CompanyType , Description , PrimaryDomain , Homepage , DisplayUrl , Sparkline , Industry , IndustrySlug , SubIndustry , SubIndustrySlug , Ipv4Count , PeopleCount , SearchCount , CustomerMonitoringCount , CurrentRating , RatingIndustryMedian , Ratings , SubscriptionType , SubscriptionTypeKey , SubscriptionEndDate , BulkEmailSenderStatus , SecurityGrade , ServiceProvider , HasCompanyTree , HasPreferredContact , IsBundle , IsPrimary , InSpmPortfolio , IsMycompMysubsBundle , IsCsp , HasDelegatedSecurityControls , CustomId , AvailableUpgradeTypes , CompanyFeatures , RelatedCompanies , PrimaryCompany , ComplianceClaim , Permissions , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightCompanyRatingDetails_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightCompanyRatingDetails_CL", - "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVectorSlug = ['risk_vector_slug'] , RiskVectorLabel = ['name'] , RiskCategory = ['category'] , CategoryOrder = ['category_order'] , Rating = ['rating'] , Grade = ['grade'] , Percentile = ['percentile'] , GradeColor = ['grade_color'] , RiskVectorOrder = ['order'] , DisplayUrl = ['display_url'] , Beta = ['beta'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVectorSlug , RiskVectorLabel , RiskCategory , CategoryOrder , Rating , Grade , Percentile , GradeColor , RiskVectorOrder , DisplayUrl , Beta , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightDiligenceHistoricalStatistics_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightDiligenceHistoricalStatistics_CL", - "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RecordDate = ['date'] , Grade = ['grade'] , Counts = ['counts'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RecordDate , Grade , Counts , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightDiligenceStatistics_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightDiligenceStatistics_CL", - "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVector = ['risk_vector'] , Unknown = ['unknown'] , Bad = ['bad'] , Warn = ['warn'] , Neutral = ['neutral'] , Fair = ['fair'] , Good = ['good'] , SpearPhishing = ['spear_phishing'] , BitFlip = ['bit_flip'] , TypographicalErrors = ['typographical_errors'] , TldVariant = ['tld_variant'] , TotalCount = ['total_count'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVector , Unknown , Bad , Warn , Neutral , Fair , Good , SpearPhishing , BitFlip , TypographicalErrors , TldVariant , TotalCount , ConnectorName" - }, - { - "streams": [ - "Custom-BitSightObservationStatistics_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitSightObservationStatistics_CL", - "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVector = ['risk_vector'] , ObservationCount = ['count'] , CountPeriod = ['count_period'] , AverageDurationDays = ['average_duration_days'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVector , ObservationCount , CountPeriod , AverageDurationDays , ConnectorName" - }, - { - "streams": [ - "Custom-BitsightIndustrialStatistics_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitsightIndustrialStatistics_CL", - "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVector = ['risk_vector'] , IncidentCount = ['count'] , CountPeriod = ['count_period'] , AverageDurationDays = ['average_duration_days'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVector , IncidentCount , CountPeriod , AverageDurationDays , ConnectorName" - }, - { - "streams": [ - "Custom-BitsightVulnerabilitiesFindingsSummary_CL" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-BitsightVulnerabilitiesFindingsSummary_CL", - "transformKql": "source | extend TimeGenerated = now() , Name = ['name'] , DisplayName = ['display_name'] , Description = ['description'] , Severity = ['severity'] , ConnectorName = ['connectionName'] | project TimeGenerated , Name , DisplayName , Description , Severity , ConnectorName" - } - ] - } - }, - { - "name": "BitsightVulnerabilitiesFindingsSummary_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "retentionInDays": 180, - "schema": { - "name": "BitsightVulnerabilitiesFindingsSummary_CL", - "description": "The BitsightVulnerabilitiesFindingsSummary table contains vulnerability reference data from the BitSight defaults API. Used at query time to enrich BitSightFindingsSummary with Severity and Description via the KQL parser.", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime", - "isDefaultDisplay": true - }, - { - "name": "Name", - "type": "string", - "description": "Slug identifier for the vulnerability type (e.g., 'patching_cadence')." - }, - { - "name": "DisplayName", - "type": "string", - "description": "Human-readable name of the vulnerability type." - }, - { - "name": "Description", - "type": "string", - "description": "Description of what the vulnerability type measures." - }, - { - "name": "Severity", - "type": "string", - "description": "Severity level of the vulnerability type (e.g., 'high', 'medium', 'low')." - }, - { - "name": "ConnectorName", - "type": "string", - "description": "Connection name identifier for multi-instance tracking." - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition3'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "BitSightStatisticsConnector", - "title": "BitSight Security Statistics (via Codeless Connector Framework)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security statistics, company profiles, rating details, diligence history, risk vector statistics, and vulnerability data from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", - "graphQueriesTableName": "BitSightCompanyDetails", - "graphQueries": [ - { - "metricName": "Total Company Detail records received", - "legend": "BitSight Company Details", - "baseQuery": "{{graphQueriesTableName}}" - }, - { - "metricName": "Total Company Rating Details received", - "legend": "BitSight Company Rating Details", - "baseQuery": "BitSightCompanyRatingDetails" - }, - { - "metricName": "Total Diligence Historical Statistics received", - "legend": "BitSight Diligence Historical Statistics", - "baseQuery": "BitSightDiligenceHistoricalStatistics" - }, - { - "metricName": "Total Diligence Statistics received", - "legend": "BitSight Diligence Statistics", - "baseQuery": "BitSightDiligenceStatistics" - }, - { - "metricName": "Total Observations Statistics received", - "legend": "BitSight Observations Statistics", - "baseQuery": "BitSightObservationStatistics" - }, - { - "metricName": "Total Industries Statistics received", - "legend": "BitSight Industries Statistics", - "baseQuery": "BitsightIndustrialStatistics" - }, - { - "metricName": "Total Findings Summary records received", - "legend": "BitSight Findings Summary", - "baseQuery": "BitSightFindingsSummary" - }, - { - "metricName": "Total Vulnerabilities received", - "legend": "BitSight Vulnerabilities", - "baseQuery": "BitsightVulnerabilitiesFindingsSummary" - } - ], - "sampleQueries": [ - { - "description": "Get sample of BitSight Company Details", - "query": "{{graphQueriesTableName}}\n | take 10" - }, - { - "description": "Get company security ratings over time", - "query": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(90d)\n | summarize LatestRating = arg_max(TimeGenerated, CurrentRating) by Name\n | order by LatestRating asc" - }, - { - "description": "Get sample of BitSight Company Rating Details", - "query": "BitSightCompanyRatingDetails\n | take 10" - }, - { - "description": "Get findings summary with latest data per company/stat", - "query": "BitSightFindingsSummary\n | where TimeGenerated > ago(1d)\n | take 10" - }, - { - "description": "Get sample of BitSight Vulnerabilities", - "query": "BitsightVulnerabilitiesFindingsSummary\n | take 10" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightCompanyRatingDetails", - "lastDataReceivedQuery": "BitSightCompanyRatingDetails\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightFindingsSummary", - "lastDataReceivedQuery": "BitSightFindingsSummary\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "BitSightDiligenceHistoricalStatistics", - "lastDataReceivedQuery": "BitSightDiligenceHistoricalStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitSightDiligenceStatistics", - "lastDataReceivedQuery": "BitSightDiligenceStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitSightObservationStatistics", - "lastDataReceivedQuery": "BitSightObservationStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitsightIndustrialStatistics", - "lastDataReceivedQuery": "BitsightIndustrialStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - }, - { - "name": "BitsightVulnerabilitiesFindingsSummary", - "lastDataReceivedQuery": "BitsightVulnerabilitiesFindingsSummary\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true, - "action": false - } - } - ], - "customs": [ - { - "name": "BitSight API Token", - "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." - } - ] - }, - "instructionSteps": [ - { - "title": "1. Connection Management", - "description": "Manage your BitSight statistics data stream connections", - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## BitSight Statistics Connections\n\nManage multiple BitSight statistics connections. Each connection selects one or more **data streams** to ingest and assigns a **Connection Name** stored in the `connectionName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." - } - }, - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Connection Name", - "columnValue": "properties.addOnAttributes.connectionName" - }, - { - "columnName": "Active Streams", - "columnValue": "properties.addOnAttributes.streams" - }, - { - "columnName": "API URL", - "columnValue": "properties.request.apiEndpoint" - } - ], - "menuItems": [ - "DeleteConnector" - ] - } - }, - { - "type": "ContextPane", - "parameters": { - "isPrimary": true, - "label": "Add Connection", - "title": "Add BitSight Statistics Connection", - "subtitle": "Configure a new BitSight statistics connection", - "contextPaneType": "DataConnectorsContextPane", - "instructionSteps": [ - { - "instructions": [ - { - "type": "Markdown", - "parameters": { - "content": "## 1. Select Data Streams\n\nChoose which BitSight statistics data types to collect for this connection. You can select multiple streams." - } - }, - { - "type": "Dropdown", - "parameters": { - "label": "Data Streams", - "name": "streams", - "options": [ - { - "key": "FindingsSummary", - "text": "FindingsSummary" - }, - { - "key": "CompanyDetails", - "text": "CompanyDetails" - }, - { - "key": "CompanyRatingDetails", - "text": "CompanyRatingDetails" - }, - { - "key": "DiligenceHistoricalStatistics", - "text": "DiligenceHistoricalStatistics" - }, - { - "key": "RiskVectorStatistics", - "text": "RiskVectorStatistics" - }, - { - "key": "IndustriesStatistics", - "text": "IndustriesStatistics" - }, - { - "key": "Vulnerabilities", - "text": "Vulnerabilities" - }, - { - "key": "ObservationsStatistics", - "text": "ObservationsStatistics" - } - ], - "isMultiSelect": true, - "defaultAllSelected": false, - "required": true - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 2. API Configuration" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Base URL", - "placeholder": "https://api.bitsighttech.com", - "type": "text", - "name": "bitSightApiUrl", - "validations": { - "required": true - } - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Username)", - "placeholder": "Paste your BitSight API Token", - "type": "text", - "name": "username", - "validations": { - "required": true - } - } - }, - { - "type": "Textbox", - "parameters": { - "label": "BitSight API Token (Password)", - "placeholder": "Paste your BitSight API Token again", - "type": "password", - "name": "password", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", - "visible": true, - "inline": false - } - }, - { - "type": "Markdown", - "parameters": { - "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Connection Name", - "placeholder": "e.g. BitSight-Statistics-Prod", - "type": "text", - "name": "connectionName", - "validations": { - "required": true - } - } - }, - { - "type": "InfoMessage", - "parameters": { - "text": "The connection name is stored in the `connectionName` column of every ingested record, enabling you to trace data back to this specific connection.", - "visible": true, - "inline": true - } - } - ] - } - ] - } - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections3')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections3'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnections3')]", - "displayName": "BitSight Security Statistics (via Codeless Connector Framework)", - "contentKind": "ResourcesDataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": { - "guidValue": { - "defaultValue": "[[newGuid()]", - "type": "securestring" - }, - "innerWorkspace": { - "defaultValue": "[parameters('workspace')]", - "type": "securestring" - }, - "connectorDefinitionName": { - "defaultValue": "BitSight Security Statistics (via Codeless Connector Framework)", - "type": "securestring", - "minLength": 1 - }, - "workspace": { - "defaultValue": "[parameters('workspace')]", - "type": "securestring" - }, - "dcrConfig": { - "defaultValue": { - "dataCollectionEndpoint": "data collection Endpoint", - "dataCollectionRuleImmutableId": "data collection rule immutableId" - }, - "type": "object" - }, - "streams": { - "defaultValue": "streams", - "type": "array" - }, - "bitSightApiUrl": { - "defaultValue": "bitSightApiUrl", - "type": "securestring", - "minLength": 1 - }, - "username": { - "defaultValue": "username", - "type": "securestring", - "minLength": 1 - }, - "password": { - "defaultValue": "password", - "type": "securestring", - "minLength": 1 - }, - "connectionName": { - "defaultValue": "connectionName", - "type": "securestring", - "minLength": 1 - } - }, - "variables": { - "_dataConnectorContentIdConnections3": "[variables('_dataConnectorContentIdConnections3')]" - }, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections3')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections3'))]", - "contentId": "[variables('_dataConnectorContentIdConnections3')]", - "kind": "ResourcesDataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - } - } - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindingsSummary' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_findings_summary", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_findings_summary": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings/summary')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$[*]" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitSightFindingsSummary", - "dcrConfig": { - "streamName": "Custom-BitSightFindingsSummary_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'FindingsSummary')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightCompanyDetails' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_company_detail", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_company_detail": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitSightCompanyDetails", - "dcrConfig": { - "streamName": "Custom-BitSightCompanyDetails_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'CompanyDetails')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightCompanyRatingDetails' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_rating_details", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_rating_details": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$.rating_details.*" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitSightCompanyRatingDetails", - "dcrConfig": { - "streamName": "Custom-BitSightCompanyRatingDetails_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'CompanyRatingDetails')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightDiligenceHistoricalStatistics' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_diligence_historical", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_diligence_historical": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/diligence/historical-statistics')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitSightDiligenceHistoricalStatistics", - "dcrConfig": { - "streamName": "Custom-BitSightDiligenceHistoricalStatistics_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'DiligenceHistoricalStatistics')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightDiligenceStatistics' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_diligence_statistics", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_diligence_statistics": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/diligence/statistics')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$.risk_vectors.*" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitSightDiligenceStatistics", - "dcrConfig": { - "streamName": "Custom-BitSightDiligenceStatistics_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'RiskVectorStatistics')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightObservationStatistics' , uniqueString(parameters('connectionName')), uniqueString('Obs') )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_observations_statistics", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_observations_statistics": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/observations/statistics')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$.risk_vectors.*" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitSightObservationStatistics", - "dcrConfig": { - "streamName": "Custom-BitSightObservationStatistics_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'ObservationsStatistics')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitsightIndustrialStatistics' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - }, - "queryParameters": { - "fields": "name,guid" - } - }, - "response": { - "eventsJsonPaths": [ - "$.results[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "stepInfo": { - "stepType": "Nested", - "nextSteps": [ - { - "stepId": "fetch_industries_statistics", - "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" - } - ] - }, - "stepCollectorConfigs": { - "fetch_industries_statistics": { - "shouldJoinNestedData": false, - "request": { - "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/industries/statistics')]", - "httpMethod": "GET", - "queryWindowInMin": 1440, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json", - "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" - } - }, - "response": { - "eventsJsonPaths": [ - "$.risk_vectors.*" - ], - "format": "json" - } - } - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitsightIndustrialStatistics", - "dcrConfig": { - "streamName": "Custom-BitsightIndustrialStatistics_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "company_guid": "$company_guid_PlaceHolder$", - "company_name": "$company_name_PlaceHolder$", - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'IndustriesStatistics')]" - }, - { - "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitsightVulnerabilitiesFindingsSummary' , uniqueString(parameters('connectionName')) )]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "auth": { - "type": "Basic", - "UserName": "[[parameters('username')]", - "Password": "[[parameters('password')]" - }, - "request": { - "apiEndpoint": "https://service.bitsighttech.com/customer-api/v1/defaults/vulnerabilities", - "httpMethod": "GET", - "rateLimitQPS": 1, - "paginatedCallsPerSecond": 1.0, - "queryWindowInMin": 1440, - "queryWindowDelayInMin": 60, - "retryCount": 3, - "timeoutInSeconds": 30, - "headers": { - "Accept": "application/json" - }, - "queryParameters": { - "fields": "name,display_name,description,severity" - } - }, - "response": { - "eventsJsonPaths": [ - "$[*]" - ], - "format": "json" - }, - "paging": { - "pagingType": "Offset", - "offsetParaName": "offset", - "pageSize": 500, - "pageSizeParameterName": "limit" - }, - "connectorDefinitionName": "BitSightStatisticsConnector", - "dataType": "BitsightVulnerabilitiesFindingsSummary", - "dcrConfig": { - "streamName": "Custom-BitsightVulnerabilitiesFindingsSummary_CL", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" - }, - "addOnAttributes": { - "connectionName": "[[parameters('connectionName')]", - "streams": "[[string(parameters('streams'))]" - } - }, - "condition": "[[contains(parameters('streams'), 'Vulnerabilities')]" - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections3'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.2.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "BitSight", - "publisherDisplayName": "BitSight Support", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The BitSight solution enables security operations teams to integrate insights from BitSight's Security Ratings platform into Microsoft Sentinel via the Codeless Connector Framework (CCF). The connector ingests Security Ratings, Company Profiles, Risk Vector breakdowns, Diligence Historical Statistics, Findings Summaries, Industry peer comparisons, and Vulnerability reference data for companies in your BitSight portfolio.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Framework (CCF)
    2. \n
\n

Data Connectors: 3, Parsers: 13, Workbooks: 1, Analytic Rules: 6

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "BitSight", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "BitSight Support", - "email": "support@bitsight.com", - "tier": "Partner", - "link": "https://www.bitsight.com/customer-success-support" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject1').parserContentId1]", - "version": "[variables('parserObject1').parserVersion1]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject2').parserContentId2]", - "version": "[variables('parserObject2').parserVersion2]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject3').parserContentId3]", - "version": "[variables('parserObject3').parserVersion3]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject4').parserContentId4]", - "version": "[variables('parserObject4').parserVersion4]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject5').parserContentId5]", - "version": "[variables('parserObject5').parserVersion5]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject6').parserContentId6]", - "version": "[variables('parserObject6').parserVersion6]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject7').parserContentId7]", - "version": "[variables('parserObject7').parserVersion7]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject8').parserContentId8]", - "version": "[variables('parserObject8').parserVersion8]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject9').parserContentId9]", - "version": "[variables('parserObject9').parserVersion9]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject10').parserContentId10]", - "version": "[variables('parserObject10').parserVersion10]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject11').parserContentId11]", - "version": "[variables('parserObject11').parserVersion11]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject12').parserContentId12]", - "version": "[variables('parserObject12').parserVersion12]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject13').parserContentId13]", - "version": "[variables('parserObject13').parserVersion13]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentIdConnections2')]", - "version": "[variables('dataConnectorCCPVersion')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentIdConnections3')]", - "version": "[variables('dataConnectorCCPVersion')]" - } - ] - }, - "firstPublishDate": "2023-02-20", - "lastPublishDate": "2024-02-20", - "providers": [ - "Bitsight" - ], - "categories": { - "domains": [ - "Security - Others" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Microsoft - support@microsoft.com", + "comments": "Solution template for BitSight" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "BitSight", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "_solutionName": "BitSight", + "_solutionVersion": "3.2.0", + "solutionId": "bitsight_technologies_inc.bitsight_sentinel", + "_solutionId": "[variables('solutionId')]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "BitSightWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.2", + "_analyticRulecontentId1": "d8844f11-3a36-4b97-9062-1e6d57c00e37", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd8844f11-3a36-4b97-9062-1e6d57c00e37')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d8844f11-3a36-4b97-9062-1e6d57c00e37')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d8844f11-3a36-4b97-9062-1e6d57c00e37','-', '1.0.2')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.1", + "_analyticRulecontentId2": "a1275c5e-0ff4-4d15-a7b7-96018cd979f5", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1275c5e-0ff4-4d15-a7b7-96018cd979f5')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1275c5e-0ff4-4d15-a7b7-96018cd979f5')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1275c5e-0ff4-4d15-a7b7-96018cd979f5','-', '1.0.1')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.2", + "_analyticRulecontentId3": "d68b758a-b117-4cb8-8e1d-dcab5a4a2f21", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd68b758a-b117-4cb8-8e1d-dcab5a4a2f21')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d68b758a-b117-4cb8-8e1d-dcab5a4a2f21')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d68b758a-b117-4cb8-8e1d-dcab5a4a2f21','-', '1.0.2')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.2", + "_analyticRulecontentId4": "161ed3ac-b242-4b13-8c6b-58716e5e9972", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '161ed3ac-b242-4b13-8c6b-58716e5e9972')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('161ed3ac-b242-4b13-8c6b-58716e5e9972')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','161ed3ac-b242-4b13-8c6b-58716e5e9972','-', '1.0.2')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.2", + "_analyticRulecontentId5": "b11fdc35-6368-4cc0-8128-52cd2e2cdda0", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b11fdc35-6368-4cc0-8128-52cd2e2cdda0')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b11fdc35-6368-4cc0-8128-52cd2e2cdda0','-', '1.0.2')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.1", + "_analyticRulecontentId6": "a5526ba9-5997-47c6-bf2e-60a08b681e9b", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a5526ba9-5997-47c6-bf2e-60a08b681e9b')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a5526ba9-5997-47c6-bf2e-60a08b681e9b')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a5526ba9-5997-47c6-bf2e-60a08b681e9b','-', '1.0.1')))]" + }, + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','BitSightAlerts')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightAlerts')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightAlerts-Parser')))]", + "parserVersion1": "1.1.0", + "parserContentId1": "BitSightAlerts-Parser" + }, + "parserObject2": { + "_parserName2": "[concat(parameters('workspace'),'/','BitSightBreaches')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightBreaches')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightBreaches-Parser')))]", + "parserVersion2": "1.1.0", + "parserContentId2": "BitSightBreaches-Parser" + }, + "parserObject3": { + "_parserName3": "[concat(parameters('workspace'),'/','BitSightCompanyDetails')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyDetails')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightCompanyDetails-Parser')))]", + "parserVersion3": "1.1.0", + "parserContentId3": "BitSightCompanyDetails-Parser" + }, + "parserObject4": { + "_parserName4": "[concat(parameters('workspace'),'/','BitSightCompanyRatingDetails')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatingDetails')]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightCompanyRatingDetails-Parser')))]", + "parserVersion4": "1.0.0", + "parserContentId4": "BitSightCompanyRatingDetails-Parser" + }, + "parserObject5": { + "_parserName5": "[concat(parameters('workspace'),'/','BitSightCompanyRatings')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatings')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightCompanyRatings-Parser')))]", + "parserVersion5": "1.1.0", + "parserContentId5": "BitSightCompanyRatings-Parser" + }, + "parserObject6": { + "_parserName6": "[concat(parameters('workspace'),'/','BitSightDiligenceHistoricalStatistics')]", + "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceHistoricalStatistics')]", + "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightDiligenceHistoricalStatistics-Parser')))]", + "parserVersion6": "1.1.0", + "parserContentId6": "BitSightDiligenceHistoricalStatistics-Parser" + }, + "parserObject7": { + "_parserName7": "[concat(parameters('workspace'),'/','BitSightDiligenceStatistics')]", + "_parserId7": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceStatistics')]", + "parserTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightDiligenceStatistics-Parser')))]", + "parserVersion7": "1.1.0", + "parserContentId7": "BitSightDiligenceStatistics-Parser" + }, + "parserObject8": { + "_parserName8": "[concat(parameters('workspace'),'/','BitSightFindingsData')]", + "_parserId8": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsData')]", + "parserTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightFindingsData-Parser')))]", + "parserVersion8": "1.1.0", + "parserContentId8": "BitSightFindingsData-Parser" + }, + "parserObject9": { + "_parserName9": "[concat(parameters('workspace'),'/','BitSightFindingsSummary')]", + "_parserId9": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsSummary')]", + "parserTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightFindingsSummary-Parser')))]", + "parserVersion9": "1.1.0", + "parserContentId9": "BitSightFindingsSummary-Parser" + }, + "parserObject10": { + "_parserName10": "[concat(parameters('workspace'),'/','BitSightGraphData')]", + "_parserId10": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightGraphData')]", + "parserTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightGraphData-Parser')))]", + "parserVersion10": "1.1.0", + "parserContentId10": "BitSightGraphData-Parser" + }, + "parserObject11": { + "_parserName11": "[concat(parameters('workspace'),'/','BitSightIndustrialStatistics')]", + "_parserId11": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightIndustrialStatistics')]", + "parserTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightIndustrialStatistics-Parser')))]", + "parserVersion11": "1.1.0", + "parserContentId11": "BitSightIndustrialStatistics-Parser" + }, + "parserObject12": { + "_parserName12": "[concat(parameters('workspace'),'/','BitSightObservationStatistics')]", + "_parserId12": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightObservationStatistics')]", + "parserTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightObservationStatistics-Parser')))]", + "parserVersion12": "1.1.0", + "parserContentId12": "BitSightObservationStatistics-Parser" + }, + "parserObject13": { + "_parserName13": "[concat(parameters('workspace'),'/','BitSightVulnerabilitiesFindingsSummary')]", + "_parserId13": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightVulnerabilitiesFindingsSummary')]", + "parserTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BitSightVulnerabilitiesFindingsSummary-Parser')))]", + "parserVersion13": "1.0.0", + "parserContentId13": "BitSightVulnerabilitiesFindingsSummary-Parser" + }, + "uiConfigId1": "BitSight", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "BitSight", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "dataConnectorCCPVersion": "3.2.0", + "_dataConnectorContentIdConnectorDefinition2": "BitSightEventsConnector", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "BitSightEventsConnectorConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "dataCollectionEndpointId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "_dataConnectorContentIdConnectorDefinition3": "BitSightStatisticsConnector", + "dataConnectorTemplateNameConnectorDefinition3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition3')))]", + "_dataConnectorContentIdConnections3": "BitSightStatisticsConnectorConnections", + "dataConnectorTemplateNameConnections3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections3')))]", + "dataCollectionEndpointId3": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightWorkbook Workbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into BitSight data." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# My Company\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"df9ebd46-967c-445f-9328-d3538237ba3b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"company\",\"label\":\"Company Name\",\"type\":2,\"isRequired\":true,\"query\":\"BitSightCompanyDetails\\r\\n| distinct Name\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Kati Communications, Inc.\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"parameters - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ae71f2b2-2245-4937-827e-20960f9ae3b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timer\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"0\",\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let latest_Rating = toscalar(BitSightGraphData\\r\\n| where todatetime(RatingDate) {Timer} and CompanyName == '{company}'\\r\\n| distinct CompanyName, RatingDate, Rating\\r\\n| summarize High = max(Rating), Low = min(Rating), any(RatingDate, Rating)\\r\\n| order by any_RatingDate desc\\r\\n| project strcat_delim(\\\"-\\\",any_Rating, High, Low)\\r\\n| limit 1);\\r\\nBitSightCompanyDetails\\r\\n| where Name == '{company}'\\r\\n| sort by TimeGenerated\\r\\n| extend LatestRating = toint(todecimal(split(latest_Rating, \\\"-\\\")[0])), High = toint(todecimal(split(latest_Rating, \\\"-\\\")[1])), Low = toint(todecimal(split(latest_Rating, \\\"-\\\")[2]))\\r\\n| project-rename Name = Name, Subscription = SubscriptionType , Industry = Industry, [\\\"Customer Monitoring Count\\\"] = CustomerMonitoringCount, [\\\"Latest Rating\\\"] = LatestRating\\r\\n| project Name, [\\\"Latest Rating\\\"], High, Low, Industry, [\\\"Customer Monitoring Count\\\"]\\r\\n| limit 1\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightGraphData\\r\\n| where todatetime(RatingDate) {Timer} and CompanyName == '{company}'\\r\\n| distinct CompanyName, RatingDate, Rating\\r\\n| project CompanyName, RatingDate, Rating\\r\\n| order by RatingDate asc\",\"size\":0,\"aggregation\":4,\"title\":\"Security Ratings Over Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"RatingDate\",\"createOtherGroup\":0,\"showDataPoints\":true,\"ySettings\":{\"min\":300,\"max\":850}}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}'\\r\\n| summarize count() by RiskVectorLabel\\r\\n| order by count_ desc\",\"size\":0,\"title\":\"Count of Observations by Risk Vector\",\"exportFieldName\":\"x\",\"exportParameterName\":\"SelectedRiskVectorLabel\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"RiskVectorLabel\",\"createOtherGroup\":0,\"showLegend\":true}},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}'\\r\\n| where RiskVectorLabel == '{SelectedRiskVectorLabel}'\\r\\n| project-away EventVendor, EventProduct\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"RemediationHistoryLastRefreshStatusDate\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"RemediationHistoryLastRefreshStatusDate\",\"sortOrder\":2}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedRiskVectorLabel\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 16\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Compromised Systems\\\"\\r\\n| extend Date = format_datetime(todatetime(LastSeen), 'yyyy-MM')\\r\\n| summarize count() by RiskVectorLabel,Date\\r\\n| project Date, count_, RiskVectorLabel\\r\\n| order by Date asc\\r\\n\",\"size\":0,\"aggregation\":4,\"title\":\"Compromised Systems by Risk Vector Over Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Date\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"Date\",\"yAxis\":[\"count_\"],\"group\":\"RiskVectorLabel\",\"showDataPoints\":true}},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"User Behavior\\\"\\r\\n| extend Date = format_datetime(todatetime(LastSeen), 'yyyy-MM')\\r\\n| summarize count() by RiskVectorLabel,Date\\r\\n| project Date, count_, RiskVectorLabel\\r\\n| order by Date asc\\r\\n\",\"size\":0,\"aggregation\":4,\"title\":\"User Behavior by Risk Vector Over Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"xAxis\":\"Date\",\"yAxis\":[\"count_\"],\"group\":\"RiskVectorLabel\"}},\"name\":\"query - 15\"},{\"type\":1,\"content\":{\"json\":\"##### Diligence by Risk Vector Over Time\"},\"name\":\"text - 13\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4d26ba1c-db98-437a-9a0c-63126f341afb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Risk_Vector\",\"label\":\"Risk Vector\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Diligence\\\"\\r\\n| distinct RiskVectorLabel\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Diligence\\\" and ('*' in ({Risk_Vector}) or RiskVectorLabel in ({Risk_Vector}))\\r\\n| extend Date = format_datetime(todatetime(LastSeen), 'yyyy-MM')\\r\\n| summarize count() by RiskVectorLabel,Date\\r\\n| project Date, count_, RiskVectorLabel\\r\\n| order by Date asc\\r\\n\",\"size\":0,\"aggregation\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Date\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"Date\",\"yAxis\":[\"count_\"],\"group\":\"RiskVectorLabel\",\"createOtherGroup\":0,\"showDataPoints\":true}},\"name\":\"query - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightDiligenceHistoricalStatistics\\r\\n| where todatetime(Date) {Timer} and CompanyName == '{company}'\\r\\n| extend yyyy_mm = format_datetime(todatetime(Date), 'yyyy-MM')\\r\\n| summarize round(avg(Count),2) by yyyy_mm, Category\\r\\n| project Category, avg_Count, yyyy_mm = strcat(yyyy_mm,\\\" (Avg)\\\")\\r\\n| order by yyyy_mm asc, Category asc\\r\\n| limit 15\",\"size\":0,\"aggregation\":4,\"title\":\"Diligence Observations by Severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"chartSettings\":{\"xAxis\":\"yyyy_mm\",\"yAxis\":[\"avg_Count\"],\"group\":\"Category\"}},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsData\\r\\n| where todatetime(LastSeen) {Timer} and CompanyName == '{company}' and RiskCategory == \\\"Compromised Systems\\\" and RiskVectorLabel == \\\"Botnet Infections\\\"\\r\\n| extend d=parse_json(Details) \\r\\n| mv-expand asset = todynamic(Assets)\\r\\n| project Infection = dynamic_to_json(d[0].infection.family), [\\\"Detection Method\\\"] = dynamic_to_json(d[0].detection_method), [\\\"Last Seen\\\"] = column_ifexists(\\\"LastSeen\\\",\\\"\\\"), Asset = dynamic_to_json(asset.asset)\\r\\n| distinct Infection, [\\\"Detection Method\\\"], Asset, [\\\"Last Seen\\\"]\\r\\n| order by [\\\"Last Seen\\\"] desc\",\"size\":0,\"title\":\"Infections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Vulnerabilities\"},\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c7ff4374-c346-4c43-9354-8936687c2704\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"BitSightFindingsSummary\\r\\n| where todatetime(StartDate) {Timer} and Company == '{company}'\\r\\n| extend Filter = case(toreal(Severity) <= 3.9 and toreal(Severity) >= 0.0, \\\"Minor\\\", \\r\\n toreal(Severity) <= 6.9 and toreal(Severity) >= 4.0, \\\"Moderate\\\",\\r\\n toreal(Severity) <= 8.9 and toreal(Severity) >= 7.0, \\\"Material\\\",\\r\\n toreal(Severity) <= 10.0 and toreal(Severity) >= 9.0, \\\"Severe\\\",\\r\\n \\\"\\\")\\r\\n| distinct Filter\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BitSightFindingsSummary\\r\\n| where todatetime(StartDate) {Timer} and Company == '{company}'\\r\\n| distinct Name, Severity, StartDate, EndDate, Description\\r\\n| extend [\\\"Severity Details\\\"] = case(toreal(Severity) <= 3.9 and toreal(Severity) >= 0.0, \\\"Minor\\\", \\r\\n toreal(Severity) <= 6.9 and toreal(Severity) >= 4.0, \\\"Moderate\\\",\\r\\n toreal(Severity) <= 8.9 and toreal(Severity) >= 7.0, \\\"Material\\\",\\r\\n toreal(Severity) <= 10.0 and toreal(Severity) >= 9.0, \\\"Severe\\\",\\r\\n \\\"\\\")\\r\\n| where ('*' in ({Severity}) or [\\\"Severity Details\\\"] in ({Severity}))\\r\\n| project-rename Name = Name, [\\\"Start Date\\\"] = StartDate, [\\\"End Date\\\"] = EndDate\\r\\n| project Name, [\\\"Severity Details\\\"], [\\\"Start Date\\\"], [\\\"End Date\\\"], Description\\r\\n\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"My Company\"}]},\"name\":\"Main\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-BitSightWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=BitSightWorkbook; logoFileName=BitSight.svg; description=Gain insights into BitSight data.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=BitSight; templateRelativePath=BitSightWorkbook.json; subtitle=; provider=BitSight}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Alerts_data_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightBreaches_data_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightCompany_details_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightCompany_rating_details_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightDiligence_historical_statistics_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightDiligence_statistics_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightFindings_summary_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightFindings_data_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightGraph_data_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightIndustrial_statistics_CL", + "kind": "DataType" + }, + { + "contentId": "BitsightObservation_statistics_CL", + "kind": "DataType" + }, + { + "contentId": "BitSightDatConnector", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightDropInCompanyRatings_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Rule helps to detect when there is a drop of 10% or more in BitSight company ratings.", + "displayName": "BitSight - drop in company ratings", + "enabled": false, + "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)and toint(RatingDifferance) < 0\n| extend percentage = -(toreal(RatingDifferance)/toreal(Rating))*100\n| where percentage >= 10\n| project RatingDate, Rating, CompanyName, percentage\n", + "queryFrequency": "P1D", + "queryPeriod": "PT24H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "BitSightGraphData" + ], + "connectorId": "BitSight" + } + ], + "tactics": [ + "Reconnaissance", + "CommandAndControl" + ], + "techniques": [ + "T1591", + "T1090" + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "CompanyName": "CompanyName", + "CompanyRating": "Rating" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "BitSight : Alert for >10% drop in ratings of {{CompanyName}}.", + "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nPercentage Drop: {{percentage}}%" + }, + "incidentConfiguration": { + "createIncident": false + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "BitSight Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "BitSight - drop in company ratings", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightNewAlertFound_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Rule helps to detect a new alerts generated in BitSight.", + "displayName": "BitSight - new alert found", + "enabled": false, + "query": "let timeframe = 24h;\nBitSightAlerts\n| where ingestion_time() > ago(timeframe)\n| extend Severity = case( Severity contains \"INCREASE\", \"Low\",\n Severity contains \"WARN\" or Severity contains \"DECREASE\", \"Medium\",\n Severity contains \"CRITICAL\", \"High\",\n \"Informational\")\n| extend CompanyURL = strcat(\"https://service.bitsighttech.com/app/spm\",CompanyURL)\n| project CompanyName, Severity, Trigger, CompanyURL, AlertDate, GUID\n", + "queryFrequency": "P1D", + "queryPeriod": "PT24H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "BitSightAlerts" + ], + "connectorId": "BitSight" + } + ], + "tactics": [ + "Impact", + "InitialAccess" + ], + "techniques": [ + "T1491", + "T1190" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "CompanyURL", + "identifier": "Url" + } + ], + "entityType": "URL" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertSeverityColumnName": "Severity", + "alertDisplayNameFormat": "BitSight: Alert for {{Trigger}} in {{CompanyName}} from bitsight.", + "alertDescriptionFormat": "Alert generated on {{AlertDate}} in BitSight.\\n\\nCompany URL: {{CompanyURL}}\\nAlert GUID: {{GUID}}" + }, + "incidentConfiguration": { + "createIncident": false + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "BitSight Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "BitSight - new alert found", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightCompromisedSystemsDetected_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Rule helps to detect whenever there is a compromised systems found in BitSight.", + "displayName": "BitSight - compromised systems detected", + "enabled": false, + "query": "let timeframe = 24h;\nBitSightFindingsData\n| where ingestion_time() > ago(timeframe)\n| where RiskCategory == \"Compromised Systems\"\n| extend Severity = toreal(Severity)\n| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, \"Low\",\n Severity <= 8.9 and Severity >= 7.0, \"Medium\",\n Severity <= 10.0 and Severity >= 9.0, \"High\",\n \"Informational\")\n| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId\n", + "queryFrequency": "P1D", + "queryPeriod": "PT24H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "BitSightFindingsData" + ], + "connectorId": "BitSight" + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1203" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "RiskVector", + "identifier": "Name" + }, + { + "columnName": "RiskCategory", + "identifier": "Category" + } + ], + "entityType": "Malware" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertSeverityColumnName": "Severity", + "alertDisplayNameFormat": "BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight", + "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRisk Vector: {{RiskVector}}\\nTemporaryId: {{TemporaryId}}\\nRisk Category: Compromised Systems" + }, + "incidentConfiguration": { + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "BitSight Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "BitSight - compromised systems detected", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightDiligenceRiskCategoryDetected_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Rule helps to detect whenever there is a diligence risk category found in BitSight.", + "displayName": "BitSight - diligence risk category detected", + "enabled": false, + "query": "let timeframe = 24h;\nBitSightFindingsData\n| where ingestion_time() > ago(timeframe)\n| where RiskCategory == \"Diligence\"\n| extend Severity = toreal(Severity)\n| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, \"Low\",\n Severity <= 8.9 and Severity >= 7.0, \"Medium\",\n Severity <= 10.0 and Severity >= 9.0, \"High\",\n \"Informational\")\n| project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector\n", + "queryFrequency": "P1D", + "queryPeriod": "PT24H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "BitSightFindingsData" + ], + "connectorId": "BitSight" + } + ], + "tactics": [ + "Execution", + "Reconnaissance" + ], + "subTechniques": [ + "T1595.002" + ], + "techniques": [ + "T1203", + "T1595" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "RiskVector", + "identifier": "Name" + }, + { + "columnName": "RiskCategory", + "identifier": "Category" + } + ], + "entityType": "Malware" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertSeverityColumnName": "Severity", + "alertDisplayNameFormat": "BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight", + "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRisk Vector: {{RiskVector}}\\nTemporaryId: {{TemporaryId}}\\nRisk Category: Diligence" + }, + "incidentConfiguration": { + "createIncident": false + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "BitSight Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "BitSight - diligence risk category detected", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightDropInHeadlineRating_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Rule helps to detect if headline ratings is drop in BitSight.", + "displayName": "BitSight - drop in the headline rating", + "enabled": false, + "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)\n| where toint(RatingDifferance) < 0\n| project RatingDate, Rating, CompanyName, RatingDifferance\n", + "queryFrequency": "P1D", + "queryPeriod": "PT24H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "BitSightGraphData" + ], + "connectorId": "BitSight" + } + ], + "tactics": [ + "Reconnaissance", + "CommandAndControl" + ], + "techniques": [ + "T1591", + "T1090" + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "CompanyName": "CompanyName", + "CompanyRating": "Rating" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "BitSight : Alert for drop in the headline rating of {{CompanyName}}.", + "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nRating Drop: {{RatingDifferance}}" + }, + "incidentConfiguration": { + "createIncident": false + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "BitSight Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "BitSight - drop in the headline rating", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightNewBreachFound_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Rule helps to detect a new breach generated in BitSight.", + "displayName": "BitSight - new breach found", + "enabled": false, + "query": "let timeframe = 24h;\nBitSightBreaches\n| where ingestion_time() > ago(timeframe)\n| extend Severity = toreal(Severity)\n| extend Severity = case( Severity == 1, \"Low\",\n Severity == 2, \"Medium\",\n Severity == 3, \"High\",\n \"Informational\")\n| project DateCreated, Companyname, Severity, PreviwURL, GUID\n", + "queryFrequency": "P1D", + "queryPeriod": "PT24H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "BitSightBreaches" + ], + "connectorId": "BitSight" + } + ], + "tactics": [ + "Impact", + "InitialAccess" + ], + "techniques": [ + "T1491", + "T1190" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "PreviwURL", + "identifier": "Url" + } + ], + "entityType": "URL" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertSeverityColumnName": "Severity", + "alertDisplayNameFormat": "BitSight: Alert for new breach in {{Companyname}}.", + "alertDescriptionFormat": "Alert is generated on {{DateCreated}} at BitSight.\\n\\nGUID: {{GUID}}\\nPreview URL: {{PreviwURL}}" + }, + "incidentConfiguration": { + "createIncident": false + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "BitSight Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "BitSight - new breach found", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightAlerts Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightAlerts", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightAlerts", + "query": "union isfuzzy=true\n (\n BitsightAlerts_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\",\n GUID = column_ifexists('guid', ''),\n AlertType = column_ifexists('alert_type', ''),\n AlertDate = column_ifexists('alert_date', ''),\n StartDate = column_ifexists('start_date', ''),\n CompanyName = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', ''),\n CompanyURL = column_ifexists('company_url', ''),\n FolderGUID = column_ifexists('folder_guid', ''),\n FolderName = column_ifexists('folder_name', ''),\n Severity = column_ifexists('severity', ''),\n Trigger = column_ifexists('trigger', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGUID,\n CompanyURL,\n FolderGUID,\n FolderName,\n Severity,\n Trigger\n ),\n (\n BitSightAlerts_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGuid,\n CompanyUrl,\n FolderGuid,\n FolderName,\n Severity,\n Trigger,\n AlertSetName,\n AlertSetGuid,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightAlerts')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for BitSightAlerts", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightAlerts", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightAlerts", + "query": "union isfuzzy=true\n (\n BitsightAlerts_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\",\n GUID = column_ifexists('guid', ''),\n AlertType = column_ifexists('alert_type', ''),\n AlertDate = column_ifexists('alert_date', ''),\n StartDate = column_ifexists('start_date', ''),\n CompanyName = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', ''),\n CompanyURL = column_ifexists('company_url', ''),\n FolderGUID = column_ifexists('folder_guid', ''),\n FolderName = column_ifexists('folder_name', ''),\n Severity = column_ifexists('severity', ''),\n Trigger = column_ifexists('trigger', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGUID,\n CompanyURL,\n FolderGUID,\n FolderName,\n Severity,\n Trigger\n ),\n (\n BitSightAlerts_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Alert\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n AlertType,\n AlertDate,\n StartDate,\n CompanyName,\n CompanyGuid,\n CompanyUrl,\n FolderGuid,\n FolderName,\n Severity,\n Trigger,\n AlertSetName,\n AlertSetGuid,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightAlerts')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightBreaches Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightBreaches", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightBreaches", + "query": "union isfuzzy=true\n (\n BitsightBreaches_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\",\n GUID = column_ifexists('guid', ''),\n Date = column_ifexists('date', ''),\n Severity = column_ifexists('severity', ''),\n Text = column_ifexists('text', ''),\n DateCreated = column_ifexists('date_created', ''),\n PreviwURL = column_ifexists('preview_url', ''),\n EventType = column_ifexists('event_type', ''),\n EventTypeDescription = column_ifexists('event_type_description', ''),\n BreachedCompanies = column_ifexists('breached_companies', ''),\n DependentCompanies = column_ifexists('dependent_companies', ''),\n Companyname = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n Date,\n Severity,\n Text,\n DateCreated,\n PreviwURL,\n EventType,\n EventTypeDescription,\n BreachedCompanies,\n DependentCompanies,\n Companyname,\n CompanyGUID\n ),\n (\n BitSightBreaches_CL\n | summarize arg_max(TimeGenerated, *) by Guid, CompanyGuid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n CompanyName,\n CompanyGuid,\n BreachDate,\n DateCreated,\n Text,\n PreviewUrl,\n EventType,\n EventTypeDescription,\n Severity,\n BreachedCompanies,\n DependentCompanies,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightBreaches')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "Parser for BitSightBreaches", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.1.0')))]", + "version": "[variables('parserObject2').parserVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightBreaches", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightBreaches", + "query": "union isfuzzy=true\n (\n BitsightBreaches_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\",\n GUID = column_ifexists('guid', ''),\n Date = column_ifexists('date', ''),\n Severity = column_ifexists('severity', ''),\n Text = column_ifexists('text', ''),\n DateCreated = column_ifexists('date_created', ''),\n PreviwURL = column_ifexists('preview_url', ''),\n EventType = column_ifexists('event_type', ''),\n EventTypeDescription = column_ifexists('event_type_description', ''),\n BreachedCompanies = column_ifexists('breached_companies', ''),\n DependentCompanies = column_ifexists('dependent_companies', ''),\n Companyname = column_ifexists('company_name', ''),\n CompanyGUID = column_ifexists('company_guid', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n GUID,\n Date,\n Severity,\n Text,\n DateCreated,\n PreviwURL,\n EventType,\n EventTypeDescription,\n BreachedCompanies,\n DependentCompanies,\n Companyname,\n CompanyGUID\n ),\n (\n BitSightBreaches_CL\n | summarize arg_max(TimeGenerated, *) by Guid, CompanyGuid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"Breaches\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n CompanyName,\n CompanyGuid,\n BreachDate,\n DateCreated,\n Text,\n PreviewUrl,\n EventType,\n EventTypeDescription,\n Severity,\n BreachedCompanies,\n DependentCompanies,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightBreaches')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject3').parserTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightCompanyDetails Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject3').parserVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject3')._parserName3]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightCompanyDetails", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightCompanyDetails", + "query": "union isfuzzy=true\n (\n BitsightCompany_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\",\n PrimaryCompanyGUID = column_ifexists('primary_company_guid', ''),\n PrimaryCompanyName = column_ifexists('primary_company_name', ''),\n AvailableUpgradeTypes = column_ifexists('available_upgrade_types', ''),\n BulkEmailSenderStatus = column_ifexists('bulk_email_sender_status', ''),\n CompanyFeatures = column_ifexists('company_features', ''),\n CustomerMonitoringCount = column_ifexists('customer_monitoring_count', ''),\n Description = column_ifexists('description', ''),\n DisplayURL = column_ifexists('display_url', ''),\n GUID = column_ifexists('guid', ''),\n HasCompanyTree = column_ifexists('has_company_tree', ''),\n HasPreferredContact = column_ifexists('has_preferred_contact', ''),\n Hompage = column_ifexists('homepage', ''),\n InSpmPortfolio = column_ifexists('in_spm_portfolio', ''),\n Industry = column_ifexists('industry', ''),\n IndustrySlug = column_ifexists('industry_slug', ''),\n Ipv4Count = column_ifexists('ipv4_count', ''),\n IsBundle = column_ifexists('is_bundle', ''),\n IsCsp = column_ifexists('is_csp', ''),\n IsMycompMysubsBundle = column_ifexists('is_mycomp_mysubs_bundle', ''),\n IsPrimary = column_ifexists('is_primary', ''),\n IsUnsampledAllowed = column_ifexists('is_unsampled_allowed', ''),\n Name = column_ifexists('name', ''),\n PeopleCount = column_ifexists('people_count', ''),\n PermissionCanAnnotate = column_ifexists('permissions_can_annotate', ''),\n PermissionCanDownloadCompanyReport = column_ifexists('permissions_can_download_company_report', ''),\n PermissionCanEnableVendorAccess = column_ifexists('permissions_can_enable_vendor_access', ''),\n PermissionCanViewCompanyReports = column_ifexists('permissions_can_view_company_reports', ''),\n PermissionCanViewForensics = column_ifexists('permissions_can_view_forensics', ''),\n PermissionCanViewInfrastructure = column_ifexists('permissions_can_view_infrastructure', ''),\n PermissionCanViewIpAttributions = column_ifexists('permissions_can_view_ip_attributions', ''),\n PermissionCanViewServiceProviders = column_ifexists('permissions_can_view_service_providers', ''),\n PermissionsHasControl = column_ifexists('permissions_has_control', ''),\n PrimaryDomain = column_ifexists('primary_domain', ''),\n RatingIndustryMedian = column_ifexists('rating_industry_median', ''),\n Ratings = column_ifexists('ratings', ''),\n RelatedCompanies = column_ifexists('related_companies', ''),\n SearchCount = column_ifexists('search_count', ''),\n ServiceProvider = column_ifexists('service_provider', ''),\n Shortname = column_ifexists('shortname', ''),\n Sparkline = column_ifexists('sparkline', ''),\n SubIndustry = column_ifexists('sub_industry', ''),\n SubIndustrySlug = column_ifexists('sub_industry_slug', ''),\n SubscriptionType = column_ifexists('subscription_type', ''),\n SubscriptionTypeKey = column_ifexists('subscription_type_key', ''),\n ComplianceClaimCertifications = column_ifexists('compliance_claim_certifications', ''),\n ComplianceClaimTrustPage = column_ifexists('compliance_claim_trust_page', ''),\n type = column_ifexists('type', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n PrimaryCompanyGUID,\n PrimaryCompanyName,\n AvailableUpgradeTypes,\n BulkEmailSenderStatus,\n CompanyFeatures,\n CustomerMonitoringCount,\n Description,\n DisplayURL,\n GUID,\n HasCompanyTree,\n HasPreferredContact,\n Hompage,\n InSpmPortfolio,\n Industry,\n IndustrySlug,\n Ipv4Count,\n IsBundle,\n IsCsp,\n IsMycompMysubsBundle,\n IsPrimary,\n IsUnsampledAllowed,\n Name,\n PeopleCount,\n PermissionCanAnnotate,\n PermissionCanDownloadCompanyReport,\n PermissionCanEnableVendorAccess,\n PermissionCanViewCompanyReports,\n PermissionCanViewForensics,\n PermissionCanViewInfrastructure,\n PermissionCanViewIpAttributions,\n PermissionCanViewServiceProviders,\n PermissionsHasControl,\n PrimaryDomain,\n RatingIndustryMedian,\n Ratings,\n RelatedCompanies,\n SearchCount,\n ServiceProvider,\n Shortname,\n Sparkline,\n SubIndustry,\n SubIndustrySlug,\n SubscriptionType,\n SubscriptionTypeKey,\n ComplianceClaimCertifications,\n ComplianceClaimTrustPage,\n type\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n Name,\n CompanyType,\n Shortname,\n Description,\n PrimaryDomain,\n Homepage,\n DisplayUrl,\n Sparkline,\n Industry,\n IndustrySlug,\n SubIndustry,\n SubIndustrySlug,\n Ipv4Count,\n PeopleCount,\n SearchCount,\n CustomerMonitoringCount,\n CurrentRating,\n RatingIndustryMedian,\n Ratings,\n SubscriptionType,\n SubscriptionTypeKey,\n SubscriptionEndDate,\n BulkEmailSenderStatus,\n SecurityGrade,\n ServiceProvider,\n HasCompanyTree,\n HasPreferredContact,\n IsBundle,\n IsPrimary,\n InSpmPortfolio,\n IsMycompMysubsBundle,\n IsCsp,\n HasDelegatedSecurityControls,\n CustomId,\n AvailableUpgradeTypes,\n CompanyFeatures,\n RelatedCompanies,\n PrimaryCompany,\n ComplianceClaim,\n Permissions,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyDetails')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject3').parserContentId3]", + "contentKind": "Parser", + "displayName": "Parser for BitSightCompanyDetails", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.1.0')))]", + "version": "[variables('parserObject3').parserVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject3')._parserName3]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightCompanyDetails", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightCompanyDetails", + "query": "union isfuzzy=true\n (\n BitsightCompany_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\",\n PrimaryCompanyGUID = column_ifexists('primary_company_guid', ''),\n PrimaryCompanyName = column_ifexists('primary_company_name', ''),\n AvailableUpgradeTypes = column_ifexists('available_upgrade_types', ''),\n BulkEmailSenderStatus = column_ifexists('bulk_email_sender_status', ''),\n CompanyFeatures = column_ifexists('company_features', ''),\n CustomerMonitoringCount = column_ifexists('customer_monitoring_count', ''),\n Description = column_ifexists('description', ''),\n DisplayURL = column_ifexists('display_url', ''),\n GUID = column_ifexists('guid', ''),\n HasCompanyTree = column_ifexists('has_company_tree', ''),\n HasPreferredContact = column_ifexists('has_preferred_contact', ''),\n Hompage = column_ifexists('homepage', ''),\n InSpmPortfolio = column_ifexists('in_spm_portfolio', ''),\n Industry = column_ifexists('industry', ''),\n IndustrySlug = column_ifexists('industry_slug', ''),\n Ipv4Count = column_ifexists('ipv4_count', ''),\n IsBundle = column_ifexists('is_bundle', ''),\n IsCsp = column_ifexists('is_csp', ''),\n IsMycompMysubsBundle = column_ifexists('is_mycomp_mysubs_bundle', ''),\n IsPrimary = column_ifexists('is_primary', ''),\n IsUnsampledAllowed = column_ifexists('is_unsampled_allowed', ''),\n Name = column_ifexists('name', ''),\n PeopleCount = column_ifexists('people_count', ''),\n PermissionCanAnnotate = column_ifexists('permissions_can_annotate', ''),\n PermissionCanDownloadCompanyReport = column_ifexists('permissions_can_download_company_report', ''),\n PermissionCanEnableVendorAccess = column_ifexists('permissions_can_enable_vendor_access', ''),\n PermissionCanViewCompanyReports = column_ifexists('permissions_can_view_company_reports', ''),\n PermissionCanViewForensics = column_ifexists('permissions_can_view_forensics', ''),\n PermissionCanViewInfrastructure = column_ifexists('permissions_can_view_infrastructure', ''),\n PermissionCanViewIpAttributions = column_ifexists('permissions_can_view_ip_attributions', ''),\n PermissionCanViewServiceProviders = column_ifexists('permissions_can_view_service_providers', ''),\n PermissionsHasControl = column_ifexists('permissions_has_control', ''),\n PrimaryDomain = column_ifexists('primary_domain', ''),\n RatingIndustryMedian = column_ifexists('rating_industry_median', ''),\n Ratings = column_ifexists('ratings', ''),\n RelatedCompanies = column_ifexists('related_companies', ''),\n SearchCount = column_ifexists('search_count', ''),\n ServiceProvider = column_ifexists('service_provider', ''),\n Shortname = column_ifexists('shortname', ''),\n Sparkline = column_ifexists('sparkline', ''),\n SubIndustry = column_ifexists('sub_industry', ''),\n SubIndustrySlug = column_ifexists('sub_industry_slug', ''),\n SubscriptionType = column_ifexists('subscription_type', ''),\n SubscriptionTypeKey = column_ifexists('subscription_type_key', ''),\n ComplianceClaimCertifications = column_ifexists('compliance_claim_certifications', ''),\n ComplianceClaimTrustPage = column_ifexists('compliance_claim_trust_page', ''),\n type = column_ifexists('type', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n PrimaryCompanyGUID,\n PrimaryCompanyName,\n AvailableUpgradeTypes,\n BulkEmailSenderStatus,\n CompanyFeatures,\n CustomerMonitoringCount,\n Description,\n DisplayURL,\n GUID,\n HasCompanyTree,\n HasPreferredContact,\n Hompage,\n InSpmPortfolio,\n Industry,\n IndustrySlug,\n Ipv4Count,\n IsBundle,\n IsCsp,\n IsMycompMysubsBundle,\n IsPrimary,\n IsUnsampledAllowed,\n Name,\n PeopleCount,\n PermissionCanAnnotate,\n PermissionCanDownloadCompanyReport,\n PermissionCanEnableVendorAccess,\n PermissionCanViewCompanyReports,\n PermissionCanViewForensics,\n PermissionCanViewInfrastructure,\n PermissionCanViewIpAttributions,\n PermissionCanViewServiceProviders,\n PermissionsHasControl,\n PrimaryDomain,\n RatingIndustryMedian,\n Ratings,\n RelatedCompanies,\n SearchCount,\n ServiceProvider,\n Shortname,\n Sparkline,\n SubIndustry,\n SubIndustrySlug,\n SubscriptionType,\n SubscriptionTypeKey,\n ComplianceClaimCertifications,\n ComplianceClaimTrustPage,\n type\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyDetails\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Guid,\n Name,\n CompanyType,\n Shortname,\n Description,\n PrimaryDomain,\n Homepage,\n DisplayUrl,\n Sparkline,\n Industry,\n IndustrySlug,\n SubIndustry,\n SubIndustrySlug,\n Ipv4Count,\n PeopleCount,\n SearchCount,\n CustomerMonitoringCount,\n CurrentRating,\n RatingIndustryMedian,\n Ratings,\n SubscriptionType,\n SubscriptionTypeKey,\n SubscriptionEndDate,\n BulkEmailSenderStatus,\n SecurityGrade,\n ServiceProvider,\n HasCompanyTree,\n HasPreferredContact,\n IsBundle,\n IsPrimary,\n InSpmPortfolio,\n IsMycompMysubsBundle,\n IsCsp,\n HasDelegatedSecurityControls,\n CustomId,\n AvailableUpgradeTypes,\n CompanyFeatures,\n RelatedCompanies,\n PrimaryCompany,\n ComplianceClaim,\n Permissions,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyDetails')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject4').parserTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightCompanyRatingDetails Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject4').parserVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject4')._parserName4]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightCompanyRatingDetails", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightCompanyRatingDetails", + "query": "BitSightCompanyRatingDetails_CL\n| summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRatingDetails\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatingDetails')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject4').parserContentId4]", + "contentKind": "Parser", + "displayName": "Parser for BitSightCompanyRatingDetails", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "version": "[variables('parserObject4').parserVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject4')._parserName4]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightCompanyRatingDetails", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightCompanyRatingDetails", + "query": "BitSightCompanyRatingDetails_CL\n| summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRatingDetails\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatingDetails')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightCompanyRatings Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightCompanyRatings", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightCompanyRatings", + "query": "union isfuzzy=true\n (\n BitsightCompany_rating_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\",\n CompanyName = column_ifexists('Company_name', ''),\n Beta = column_ifexists('beta', ''),\n Category = column_ifexists('category', ''),\n CategoryOrder = column_ifexists('category_order', ''),\n DisplayURL = column_ifexists('display_url', ''),\n Grade = column_ifexists('grade', ''),\n GradeColor = column_ifexists('grade_color', ''),\n Name = column_ifexists('name', ''),\n Order = column_ifexists('order', ''),\n Percentile = column_ifexists('percentile', ''),\n Rating = column_ifexists('rating', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Beta,\n Category,\n CategoryOrder,\n DisplayURL,\n Grade,\n GradeColor,\n Name,\n Order,\n Percentile,\n Rating\n ),\n (\n BitSightCompanyRatingDetails_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatings')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "Parser for BitSightCompanyRatings", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.1.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightCompanyRatings", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightCompanyRatings", + "query": "union isfuzzy=true\n (\n BitsightCompany_rating_details_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\",\n CompanyName = column_ifexists('Company_name', ''),\n Beta = column_ifexists('beta', ''),\n Category = column_ifexists('category', ''),\n CategoryOrder = column_ifexists('category_order', ''),\n DisplayURL = column_ifexists('display_url', ''),\n Grade = column_ifexists('grade', ''),\n GradeColor = column_ifexists('grade_color', ''),\n Name = column_ifexists('name', ''),\n Order = column_ifexists('order', ''),\n Percentile = column_ifexists('percentile', ''),\n Rating = column_ifexists('rating', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Beta,\n Category,\n CategoryOrder,\n DisplayURL,\n Grade,\n GradeColor,\n Name,\n Order,\n Percentile,\n Rating\n ),\n (\n BitSightCompanyRatingDetails_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RiskVectorLabel\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"CompanyRating\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVectorSlug,\n RiskVectorLabel,\n RiskCategory,\n CategoryOrder,\n Rating,\n Grade,\n Percentile,\n GradeColor,\n RiskVectorOrder,\n DisplayUrl,\n Beta,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightCompanyRatings')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject6').parserTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightDiligenceHistoricalStatistics Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject6').parserVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject6')._parserName6]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightDiligenceHistoricalStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightDiligenceHistoricalStatistics", + "query": "union isfuzzy=true\n (\n BitsightDiligence_historical_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = column_ifexists('count', ''),\n Category = column_ifexists('category', ''),\n Date = column_ifexists('date', ''),\n CompanyName = column_ifexists('company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n Category,\n Date,\n CompanyName\n ),\n (\n BitSightDiligenceHistoricalStatistics_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RecordDate\n | mv-expand CountEntry = Counts\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = toint(CountEntry[\"count\"]),\n Category = tostring(CountEntry[\"category\"])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RecordDate,\n Grade,\n Count,\n Category,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "dependsOn": [ + "[variables('parserObject6')._parserId6]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceHistoricalStatistics')]", + "contentId": "[variables('parserObject6').parserContentId6]", + "kind": "Parser", + "version": "[variables('parserObject6').parserVersion6]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject6').parserContentId6]", + "contentKind": "Parser", + "displayName": "Parser for BitSightDiligenceHistoricalStatistics", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.1.0')))]", + "version": "[variables('parserObject6').parserVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject6')._parserName6]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightDiligenceHistoricalStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightDiligenceHistoricalStatistics", + "query": "union isfuzzy=true\n (\n BitsightDiligence_historical_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = column_ifexists('count', ''),\n Category = column_ifexists('category', ''),\n Date = column_ifexists('date', ''),\n CompanyName = column_ifexists('company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n Category,\n Date,\n CompanyName\n ),\n (\n BitSightDiligenceHistoricalStatistics_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, RecordDate\n | mv-expand CountEntry = Counts\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceHistoricalStatistics\",\n Count = toint(CountEntry[\"count\"]),\n Category = tostring(CountEntry[\"category\"])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RecordDate,\n Grade,\n Count,\n Category,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "dependsOn": [ + "[variables('parserObject6')._parserId6]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceHistoricalStatistics')]", + "contentId": "[variables('parserObject6').parserContentId6]", + "kind": "Parser", + "version": "[variables('parserObject6').parserVersion6]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject7').parserTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightDiligenceStatistics Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject7').parserVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject7')._parserName7]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightDiligenceStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightDiligenceStatistics", + "query": "union isfuzzy=true\n (\n BitsightDiligence_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\",\n Unknown = column_ifexists('unknown', ''),\n Bad = column_ifexists('bad', ''),\n Warn = column_ifexists('warn', ''),\n Neutral = column_ifexists('neutral', ''),\n Fair = column_ifexists('fair', ''),\n Good = column_ifexists('good', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', ''),\n SpearPhishing = column_ifexists('spear_phishing', ''),\n BitFlip = column_ifexists('bit_flip', ''),\n TypographicalErrors = column_ifexists('typographical_errors', ''),\n TLDVariant = column_ifexists('tld_variant', ''),\n TotalCount = column_ifexists('total_count', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n RiskVector,\n CompanyName,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TLDVariant,\n TotalCount\n ),\n (\n BitSightDiligenceStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TldVariant,\n TotalCount,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", + "dependsOn": [ + "[variables('parserObject7')._parserId7]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceStatistics')]", + "contentId": "[variables('parserObject7').parserContentId7]", + "kind": "Parser", + "version": "[variables('parserObject7').parserVersion7]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject7').parserContentId7]", + "contentKind": "Parser", + "displayName": "Parser for BitSightDiligenceStatistics", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.1.0')))]", + "version": "[variables('parserObject7').parserVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject7')._parserName7]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightDiligenceStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightDiligenceStatistics", + "query": "union isfuzzy=true\n (\n BitsightDiligence_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\",\n Unknown = column_ifexists('unknown', ''),\n Bad = column_ifexists('bad', ''),\n Warn = column_ifexists('warn', ''),\n Neutral = column_ifexists('neutral', ''),\n Fair = column_ifexists('fair', ''),\n Good = column_ifexists('good', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', ''),\n SpearPhishing = column_ifexists('spear_phishing', ''),\n BitFlip = column_ifexists('bit_flip', ''),\n TypographicalErrors = column_ifexists('typographical_errors', ''),\n TLDVariant = column_ifexists('tld_variant', ''),\n TotalCount = column_ifexists('total_count', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n RiskVector,\n CompanyName,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TLDVariant,\n TotalCount\n ),\n (\n BitSightDiligenceStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"DiligenceStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n Unknown,\n Bad,\n Warn,\n Neutral,\n Fair,\n Good,\n SpearPhishing,\n BitFlip,\n TypographicalErrors,\n TldVariant,\n TotalCount,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", + "dependsOn": [ + "[variables('parserObject7')._parserId7]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightDiligenceStatistics')]", + "contentId": "[variables('parserObject7').parserContentId7]", + "kind": "Parser", + "version": "[variables('parserObject7').parserVersion7]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject8').parserTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightFindingsData Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject8').parserVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject8')._parserName8]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightFindingsData", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightFindingsData", + "query": "union isfuzzy=true\n (\n BitsightFindings_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\",\n RemediationHistoryLastRequestedRefreshDate = column_ifexists('remediation_history_last_requested_refresh_date', ''),\n RemediationHistoryLastRefreshStatusDate = column_ifexists('remediation_history_last_refresh_status_date', ''),\n RemediationHistoryLastRefreshStatusLabel = column_ifexists('remediation_history_last_refresh_status_label', ''),\n RemediationHistoryLastRefreshReasonCode = column_ifexists('remediation_history_last_refresh_reason_code', ''),\n Comments = column_ifexists('comments', ''),\n TemporaryId = column_ifexists('temporary_id', ''),\n PcapID = column_ifexists('pcap_id', ''),\n AffectsRating = column_ifexists('affects_rating', ''),\n Assets = column_ifexists('assets', ''),\n Details = column_ifexists('details', ''),\n EvidenceKey = column_ifexists('evidence_key', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n LastSeen = column_ifexists('last_seen', ''),\n RelatedFindings = column_ifexists('related_findings', ''),\n RiskCategory = column_ifexists('risk_category', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n RiskVectorLabel = column_ifexists('risk_vector_label', ''),\n RolledupObservationId = column_ifexists('rolledup_observation_id', ''),\n Severity = column_ifexists('severity', ''),\n SeverityCategory = column_ifexists('severity_category', ''),\n Tags = column_ifexists('tags', ''),\n AssetOverrides = column_ifexists('asset_overrides', ''),\n Duration = column_ifexists('duration', ''),\n AttributedCompanies = column_ifexists('attributed_companies', ''),\n CompanyName = column_ifexists('company_name', ''),\n RemainingDecay = column_ifexists('remaining_decay', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RemediationHistoryLastRequestedRefreshDate,\n RemediationHistoryLastRefreshStatusDate,\n RemediationHistoryLastRefreshStatusLabel,\n RemediationHistoryLastRefreshReasonCode,\n Comments,\n TemporaryId,\n PcapID,\n AffectsRating,\n Assets,\n Details,\n EvidenceKey,\n FirstSeen,\n LastSeen,\n RelatedFindings,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n RolledupObservationId,\n Severity,\n SeverityCategory,\n Tags,\n AssetOverrides,\n Duration,\n AttributedCompanies,\n CompanyName,\n RemainingDecay\n ),\n (\n BitSightFindings_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n TemporaryId,\n CompanyName,\n CompanyGuid,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n SeverityCategory,\n Severity,\n FirstSeen,\n LastSeen,\n CurrentlyActive,\n AssetCategory,\n Assets,\n Details,\n EvidenceKey,\n AttributedCompanies,\n RemediationHistory,\n AffectsRating,\n Comments,\n Duration,\n GracePeriodEndDate,\n GuestNetworkEndDate,\n ImpactsRiskVectorDetails,\n NoRvGradeImpactEndDate,\n RelatedFindings,\n RemainingDecay,\n Remediated,\n RolledupObservationId,\n Tags,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", + "dependsOn": [ + "[variables('parserObject8')._parserId8]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsData')]", + "contentId": "[variables('parserObject8').parserContentId8]", + "kind": "Parser", + "version": "[variables('parserObject8').parserVersion8]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject8').parserContentId8]", + "contentKind": "Parser", + "displayName": "Parser for BitSightFindingsData", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.1.0')))]", + "version": "[variables('parserObject8').parserVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject8')._parserName8]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightFindingsData", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightFindingsData", + "query": "union isfuzzy=true\n (\n BitsightFindings_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\",\n RemediationHistoryLastRequestedRefreshDate = column_ifexists('remediation_history_last_requested_refresh_date', ''),\n RemediationHistoryLastRefreshStatusDate = column_ifexists('remediation_history_last_refresh_status_date', ''),\n RemediationHistoryLastRefreshStatusLabel = column_ifexists('remediation_history_last_refresh_status_label', ''),\n RemediationHistoryLastRefreshReasonCode = column_ifexists('remediation_history_last_refresh_reason_code', ''),\n Comments = column_ifexists('comments', ''),\n TemporaryId = column_ifexists('temporary_id', ''),\n PcapID = column_ifexists('pcap_id', ''),\n AffectsRating = column_ifexists('affects_rating', ''),\n Assets = column_ifexists('assets', ''),\n Details = column_ifexists('details', ''),\n EvidenceKey = column_ifexists('evidence_key', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n LastSeen = column_ifexists('last_seen', ''),\n RelatedFindings = column_ifexists('related_findings', ''),\n RiskCategory = column_ifexists('risk_category', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n RiskVectorLabel = column_ifexists('risk_vector_label', ''),\n RolledupObservationId = column_ifexists('rolledup_observation_id', ''),\n Severity = column_ifexists('severity', ''),\n SeverityCategory = column_ifexists('severity_category', ''),\n Tags = column_ifexists('tags', ''),\n AssetOverrides = column_ifexists('asset_overrides', ''),\n Duration = column_ifexists('duration', ''),\n AttributedCompanies = column_ifexists('attributed_companies', ''),\n CompanyName = column_ifexists('company_name', ''),\n RemainingDecay = column_ifexists('remaining_decay', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RemediationHistoryLastRequestedRefreshDate,\n RemediationHistoryLastRefreshStatusDate,\n RemediationHistoryLastRefreshStatusLabel,\n RemediationHistoryLastRefreshReasonCode,\n Comments,\n TemporaryId,\n PcapID,\n AffectsRating,\n Assets,\n Details,\n EvidenceKey,\n FirstSeen,\n LastSeen,\n RelatedFindings,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n RolledupObservationId,\n Severity,\n SeverityCategory,\n Tags,\n AssetOverrides,\n Duration,\n AttributedCompanies,\n CompanyName,\n RemainingDecay\n ),\n (\n BitSightFindings_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsData\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n TemporaryId,\n CompanyName,\n CompanyGuid,\n RiskCategory,\n RiskVector,\n RiskVectorLabel,\n SeverityCategory,\n Severity,\n FirstSeen,\n LastSeen,\n CurrentlyActive,\n AssetCategory,\n Assets,\n Details,\n EvidenceKey,\n AttributedCompanies,\n RemediationHistory,\n AffectsRating,\n Comments,\n Duration,\n GracePeriodEndDate,\n GuestNetworkEndDate,\n ImpactsRiskVectorDetails,\n NoRvGradeImpactEndDate,\n RelatedFindings,\n RemainingDecay,\n Remediated,\n RolledupObservationId,\n Tags,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", + "dependsOn": [ + "[variables('parserObject8')._parserId8]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsData')]", + "contentId": "[variables('parserObject8').parserContentId8]", + "kind": "Parser", + "version": "[variables('parserObject8').parserVersion8]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject9').parserTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightFindingsSummary Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject9').parserVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject9')._parserName9]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightFindingsSummary", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightFindingsSummary", + "query": "union isfuzzy=true\n (\n BitsightFindings_summary_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n Company = column_ifexists('Company', ''),\n Confidence = column_ifexists('confidence', ''),\n EndDate = column_ifexists('end_date', ''),\n EventCount = column_ifexists('event_count', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n HostCount = column_ifexists('host_count', ''),\n Id = column_ifexists('id', ''),\n Name = column_ifexists('name', ''),\n Severity = column_ifexists('severity', ''),\n StartDate = column_ifexists('start_date', ''),\n Description = column_ifexists('description', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Company,\n Confidence,\n EndDate,\n EventCount,\n FirstSeen,\n HostCount,\n Id,\n Name,\n Severity,\n StartDate,\n Description\n ),\n (\n BitSightFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, StartDate, EndDate\n | mv-expand StatEntry = Stats\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n StatName = tostring(StatEntry[\"name\"]),\n StatId = tostring(StatEntry[\"id\"]),\n Confidence = tostring(StatEntry[\"confidence\"]),\n EventCount = toint(StatEntry[\"event_count\"]),\n HostCount = toint(StatEntry[\"host_count\"]),\n FirstSeen = tostring(StatEntry[\"first_seen\"])\n | join kind=leftouter (\n BitsightVulnerabilitiesFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by DisplayName\n | project DisplayName, VulnSeverity = Severity, VulnDescription = Description\n ) on $left.StatName == $right.DisplayName\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n StartDate,\n EndDate,\n StatName,\n StatId,\n Confidence,\n EventCount,\n HostCount,\n FirstSeen,\n VulnSeverity,\n VulnDescription,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", + "dependsOn": [ + "[variables('parserObject9')._parserId9]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsSummary')]", + "contentId": "[variables('parserObject9').parserContentId9]", + "kind": "Parser", + "version": "[variables('parserObject9').parserVersion9]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject9').parserContentId9]", + "contentKind": "Parser", + "displayName": "Parser for BitSightFindingsSummary", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.1.0')))]", + "version": "[variables('parserObject9').parserVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject9')._parserName9]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightFindingsSummary", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightFindingsSummary", + "query": "union isfuzzy=true\n (\n BitsightFindings_summary_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n Company = column_ifexists('Company', ''),\n Confidence = column_ifexists('confidence', ''),\n EndDate = column_ifexists('end_date', ''),\n EventCount = column_ifexists('event_count', ''),\n FirstSeen = column_ifexists('first_seen', ''),\n HostCount = column_ifexists('host_count', ''),\n Id = column_ifexists('id', ''),\n Name = column_ifexists('name', ''),\n Severity = column_ifexists('severity', ''),\n StartDate = column_ifexists('start_date', ''),\n Description = column_ifexists('description', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Company,\n Confidence,\n EndDate,\n EventCount,\n FirstSeen,\n HostCount,\n Id,\n Name,\n Severity,\n StartDate,\n Description\n ),\n (\n BitSightFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by CompanyGuid, StartDate, EndDate\n | mv-expand StatEntry = Stats\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"FindingsSummary\",\n StatName = tostring(StatEntry[\"name\"]),\n StatId = tostring(StatEntry[\"id\"]),\n Confidence = tostring(StatEntry[\"confidence\"]),\n EventCount = toint(StatEntry[\"event_count\"]),\n HostCount = toint(StatEntry[\"host_count\"]),\n FirstSeen = tostring(StatEntry[\"first_seen\"])\n | join kind=leftouter (\n BitsightVulnerabilitiesFindingsSummary_CL\n | summarize arg_max(TimeGenerated, *) by DisplayName\n | project DisplayName, VulnSeverity = Severity, VulnDescription = Description\n ) on $left.StatName == $right.DisplayName\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n StartDate,\n EndDate,\n StatName,\n StatId,\n Confidence,\n EventCount,\n HostCount,\n FirstSeen,\n VulnSeverity,\n VulnDescription,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", + "dependsOn": [ + "[variables('parserObject9')._parserId9]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightFindingsSummary')]", + "contentId": "[variables('parserObject9').parserContentId9]", + "kind": "Parser", + "version": "[variables('parserObject9').parserVersion9]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject10').parserTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightGraphData Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject10').parserVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject10')._parserName10]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightGraphData", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightGraphData", + "query": "union isfuzzy=true\n (\n BitsightGraph_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n RatingDate = column_ifexists('Rating_Date', ''),\n Rating = column_ifexists('Rating', ''),\n CompanyName = column_ifexists('Company_name', ''),\n RatingDifferance = column_ifexists('Rating_differance', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RatingDate,\n Rating,\n CompanyName,\n RatingDifferance\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | mv-expand RatingEntry = Ratings\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n CompanyName = Name,\n RatingDate = tostring(RatingEntry[\"rating_date\"]),\n Rating = toint(RatingEntry[\"rating\"]),\n RatingRange = tostring(RatingEntry[\"range\"]),\n RatingColor = tostring(RatingEntry[\"rating_color\"])\n | sort by Guid asc, RatingDate asc\n | serialize\n | extend\n PrevGuid = prev(Guid, 1),\n PrevRating = prev(Rating, 1)\n | extend\n RatingDifference = iff(Guid == PrevGuid, Rating - PrevRating, int(null)),\n RatingDifferance = iff(Guid == PrevGuid, Rating - PrevRating, int(null))\n | project-away PrevGuid, PrevRating\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Guid,\n RatingDate,\n Rating,\n RatingRange,\n RatingColor,\n RatingDifference,\n RatingDifferance,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", + "dependsOn": [ + "[variables('parserObject10')._parserId10]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightGraphData')]", + "contentId": "[variables('parserObject10').parserContentId10]", + "kind": "Parser", + "version": "[variables('parserObject10').parserVersion10]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject10').parserContentId10]", + "contentKind": "Parser", + "displayName": "Parser for BitSightGraphData", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.1.0')))]", + "version": "[variables('parserObject10').parserVersion10]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject10')._parserName10]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightGraphData", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightGraphData", + "query": "union isfuzzy=true\n (\n BitsightGraph_data_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n RatingDate = column_ifexists('Rating_Date', ''),\n Rating = column_ifexists('Rating', ''),\n CompanyName = column_ifexists('Company_name', ''),\n RatingDifferance = column_ifexists('Rating_differance', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n RatingDate,\n Rating,\n CompanyName,\n RatingDifferance\n ),\n (\n BitSightCompanyDetails_CL\n | summarize arg_max(TimeGenerated, *) by Guid\n | mv-expand RatingEntry = Ratings\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"GraphData\",\n CompanyName = Name,\n RatingDate = tostring(RatingEntry[\"rating_date\"]),\n Rating = toint(RatingEntry[\"rating\"]),\n RatingRange = tostring(RatingEntry[\"range\"]),\n RatingColor = tostring(RatingEntry[\"rating_color\"])\n | sort by Guid asc, RatingDate asc\n | serialize\n | extend\n PrevGuid = prev(Guid, 1),\n PrevRating = prev(Rating, 1)\n | extend\n RatingDifference = iff(Guid == PrevGuid, Rating - PrevRating, int(null)),\n RatingDifferance = iff(Guid == PrevGuid, Rating - PrevRating, int(null))\n | project-away PrevGuid, PrevRating\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n Guid,\n RatingDate,\n Rating,\n RatingRange,\n RatingColor,\n RatingDifference,\n RatingDifferance,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", + "dependsOn": [ + "[variables('parserObject10')._parserId10]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightGraphData')]", + "contentId": "[variables('parserObject10').parserContentId10]", + "kind": "Parser", + "version": "[variables('parserObject10').parserVersion10]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject11').parserTemplateSpecName11]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightIndustrialStatistics Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject11').parserVersion11]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject11')._parserName11]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightIndustrialStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightIndustrialStatistics", + "query": "union isfuzzy=true\n (\n BitsightIndustrial_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitsightIndustrialStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n IncidentCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", + "dependsOn": [ + "[variables('parserObject11')._parserId11]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightIndustrialStatistics')]", + "contentId": "[variables('parserObject11').parserContentId11]", + "kind": "Parser", + "version": "[variables('parserObject11').parserVersion11]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject11').parserContentId11]", + "contentKind": "Parser", + "displayName": "Parser for BitSightIndustrialStatistics", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.1.0')))]", + "version": "[variables('parserObject11').parserVersion11]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject11')._parserName11]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightIndustrialStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightIndustrialStatistics", + "query": "union isfuzzy=true\n (\n BitsightIndustrial_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitsightIndustrialStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"IndustrialStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n IncidentCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", + "dependsOn": [ + "[variables('parserObject11')._parserId11]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightIndustrialStatistics')]", + "contentId": "[variables('parserObject11').parserContentId11]", + "kind": "Parser", + "version": "[variables('parserObject11').parserVersion11]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject12').parserTemplateSpecName12]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightObservationStatistics Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject12').parserVersion12]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject12')._parserName12]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightObservationStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightObservationStatistics", + "query": "union isfuzzy=true\n (\n BitsightObservation_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitSightObservationStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n ObservationCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject12')._parserId12,'/'))))]", + "dependsOn": [ + "[variables('parserObject12')._parserId12]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightObservationStatistics')]", + "contentId": "[variables('parserObject12').parserContentId12]", + "kind": "Parser", + "version": "[variables('parserObject12').parserVersion12]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject12').parserContentId12]", + "contentKind": "Parser", + "displayName": "Parser for BitSightObservationStatistics", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject12').parserContentId12,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject12').parserContentId12,'-', '1.1.0')))]", + "version": "[variables('parserObject12').parserVersion12]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject12')._parserName12]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightObservationStatistics", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightObservationStatistics", + "query": "union isfuzzy=true\n (\n BitsightObservation_statistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\",\n Count = column_ifexists('count', ''),\n CountPeriod = column_ifexists('count_period', ''),\n AverageDurationDays = column_ifexists('average_duration_days', ''),\n RiskVector = column_ifexists('risk_vector', ''),\n CompanyName = column_ifexists('Company_name', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n Count,\n CountPeriod,\n AverageDurationDays,\n RiskVector,\n CompanyName\n ),\n (\n BitSightObservationStatistics_CL\n | extend\n EventVendor = \"BitSight\",\n EventProduct = \"ObservationStatistics\"\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n CompanyName,\n CompanyGuid,\n RiskVector,\n ObservationCount,\n CountPeriod,\n AverageDurationDays,\n ConnectorName\n )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject12')._parserId12,'/'))))]", + "dependsOn": [ + "[variables('parserObject12')._parserId12]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightObservationStatistics')]", + "contentId": "[variables('parserObject12').parserContentId12]", + "kind": "Parser", + "version": "[variables('parserObject12').parserVersion12]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject13').parserTemplateSpecName13]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSightVulnerabilitiesFindingsSummary Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject13').parserVersion13]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject13')._parserName13]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightVulnerabilitiesFindingsSummary", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightVulnerabilitiesFindingsSummary", + "query": "BitsightVulnerabilitiesFindingsSummary_CL\n| summarize arg_max(TimeGenerated, *) by DisplayName\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"VulnerabilitiesFindingsSummary\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n DisplayName,\n Severity,\n Description,\n ConnectorName\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject13')._parserId13,'/'))))]", + "dependsOn": [ + "[variables('parserObject13')._parserId13]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightVulnerabilitiesFindingsSummary')]", + "contentId": "[variables('parserObject13').parserContentId13]", + "kind": "Parser", + "version": "[variables('parserObject13').parserVersion13]", + "source": { + "name": "BitSight", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject13').parserContentId13]", + "contentKind": "Parser", + "displayName": "Parser for BitSightVulnerabilitiesFindingsSummary", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject13').parserContentId13,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject13').parserContentId13,'-', '1.0.0')))]", + "version": "[variables('parserObject13').parserVersion13]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject13')._parserName13]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for BitSightVulnerabilitiesFindingsSummary", + "category": "Microsoft Sentinel Parser", + "functionAlias": "BitSightVulnerabilitiesFindingsSummary", + "query": "BitsightVulnerabilitiesFindingsSummary_CL\n| summarize arg_max(TimeGenerated, *) by DisplayName\n| extend\n EventVendor = \"BitSight\",\n EventProduct = \"VulnerabilitiesFindingsSummary\"\n| project\n TimeGenerated,\n EventVendor,\n EventProduct,\n DisplayName,\n Severity,\n Description,\n ConnectorName\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject13')._parserId13,'/'))))]", + "dependsOn": [ + "[variables('parserObject13')._parserId13]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'BitSightVulnerabilitiesFindingsSummary')]", + "contentId": "[variables('parserObject13').parserContentId13]", + "kind": "Parser", + "version": "[variables('parserObject13').parserVersion13]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BitSight data connector with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Bitsight data connector (using Azure Functions)", + "publisher": "BitSight Technologies, Inc.", + "descriptionMarkdown": "The [BitSight](https://www.BitSight.com/) Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data into Microsoft Sentinel using the [Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview).", + "graphQueries": [ + { + "metricName": "Total Alerts data received", + "legend": "BitsightAlerts_data_CL", + "baseQuery": "BitsightAlerts_data_CL" + }, + { + "metricName": "Total Breaches data received", + "legend": "BitsightBreaches_data_CL", + "baseQuery": "BitsightBreaches_data_CL" + }, + { + "metricName": "Total Company Details received", + "legend": "BitsightCompany_details_CL", + "baseQuery": "BitsightCompany_details_CL" + }, + { + "metricName": "Total Company Ratings received", + "legend": "BitsightCompany_rating_details_CL", + "baseQuery": "BitsightCompany_rating_details_CL" + }, + { + "metricName": "Total Diligence Historical Statistics data received", + "legend": "BitsightDiligence_historical_statistics_CL", + "baseQuery": "BitsightDiligence_historical_statistics_CL" + }, + { + "metricName": "Total Diligence Statistics data received", + "legend": "BitsightDiligence_statistics_CL", + "baseQuery": "BitsightDiligence_statistics_CL" + }, + { + "metricName": "Total Findings data received", + "legend": "BitsightFindings_data_CL", + "baseQuery": "BitsightFindings_data_CL" + }, + { + "metricName": "Total Findings Summary data received", + "legend": "BitsightFindings_summary_CL", + "baseQuery": "BitsightFindings_summary_CL" + }, + { + "metricName": "Total Graph data received", + "legend": "BitsightGraph_data_CL", + "baseQuery": "BitsightGraph_data_CL" + }, + { + "metricName": "Total Industrial Statistics data received", + "legend": "BitsightIndustrial_statistics_CL", + "baseQuery": "BitsightIndustrial_statistics_CL" + }, + { + "metricName": "Total Observation Statistics data received", + "legend": "BitsightObservation_statistics_CL", + "baseQuery": "BitsightObservation_statistics_CL" + } + ], + "sampleQueries": [ + { + "description": "BitSight Alert Events - Alerts Event for all Companies in portfolio.", + "query": "BitsightAlerts_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Breaches Events - Breaches Event for all Companies in portfolio.", + "query": "BitsightBreaches_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Company Details Events - Company Details Event for all Companies in portfolio.", + "query": "BitsightCompany_details_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Company Ratings Events - Company Ratings Event for all Companies.", + "query": "BitsightCompany_rating_details_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Diligence Historical Statistics Events - Diligence Historical Statistics Event for all Companies.", + "query": "BitsightDiligence_historical_statistics_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Diligence Statistics Events - Diligence Statistics Event for all Companies.", + "query": "BitsightDiligence_statistics_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Findings Events - Findings Event for all Companies.", + "query": "BitsightFindings_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Findings Summary Events - Findings Summary Event for all Companies.", + "query": "BitsightFindings_summary_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Graph Events - Graph Event for all Companies.", + "query": "BitsightGraph_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Industrial Statistics Events - Industrial Statistics Event for all Companies.", + "query": "BitsightIndustrial_statistics_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Observation Statistics Events - Observation Statistics Event for all Companies.", + "query": "BitsightObservation_statistics_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "BitsightAlerts_data_CL", + "lastDataReceivedQuery": "BitsightAlerts_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightBreaches_data_CL", + "lastDataReceivedQuery": "BitsightBreaches_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightCompany_details_CL", + "lastDataReceivedQuery": "BitsightCompany_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightCompany_rating_details_CL", + "lastDataReceivedQuery": "BitsightCompany_rating_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightDiligence_historical_statistics_CL", + "lastDataReceivedQuery": "BitsightDiligence_historical_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightDiligence_statistics_CL", + "lastDataReceivedQuery": "BitsightDiligence_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightFindings_data_CL", + "lastDataReceivedQuery": "BitsightFindings_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightFindings_summary_CL", + "lastDataReceivedQuery": "BitsightFindings_summary_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightGraph_data_CL", + "lastDataReceivedQuery": "BitsightGraph_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightIndustrial_statistics_CL", + "lastDataReceivedQuery": "BitsightIndustrial_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightObservation_statistics_CL", + "lastDataReceivedQuery": "BitsightObservation_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "BitsightAlerts_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightBreaches_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightCompany_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightCompany_rating_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightDiligence_historical_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightDiligence_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightFindings_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightFindings_summary_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightGraph_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightIndustrial_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightObservation_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Permission to assign a role to the registered application", + "description": "Permission to assign a role to the registered application in Microsoft Entra ID is required." + }, + { + "name": "REST API Credentials/permissions", + "description": "BitSight API Token is required. See the documentation to [learn more](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) about API Token." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the BitSight API to pull its logs into Microsoft Sentinel using the Logs Ingestion API (DCR). This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Steps to Create/Get Bitsight API Token**\n\n Follow these instructions to get a BitSight API Token.\n 1. For SPM App: Refer to the [User Preference](https://service.bitsight.com/app/spm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 2. For TPRM App: Refer to the [User Preference](https://service.bitsight.com/app/tprm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 3. For Classic BitSight: Go to your [Account](https://service.bitsight.com/settings) page, \n\t\tGo to Settings > Account > API Token." + }, + { + "description": "**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 3 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of BitSight Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n" + }, + { + "description": "**STEP 5 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the BitSight data connector, have the BitSight API Token and Azure credentials (Client ID, Client Secret, Tenant ID, Object ID) readily available." + }, + { + "description": "Use this method for automated deployment of the BitSight connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BitSight-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Review + Create** and then **Create** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the BitSight data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-BitSight310-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. BitSightXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Save**." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Bitsight data connector (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Bitsight data connector (using Azure Functions)", + "publisher": "BitSight Technologies, Inc.", + "descriptionMarkdown": "The [BitSight](https://www.BitSight.com/) Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data into Microsoft Sentinel using the [Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview).", + "graphQueries": [ + { + "metricName": "Total Alerts data received", + "legend": "BitsightAlerts_data_CL", + "baseQuery": "BitsightAlerts_data_CL" + }, + { + "metricName": "Total Breaches data received", + "legend": "BitsightBreaches_data_CL", + "baseQuery": "BitsightBreaches_data_CL" + }, + { + "metricName": "Total Company Details received", + "legend": "BitsightCompany_details_CL", + "baseQuery": "BitsightCompany_details_CL" + }, + { + "metricName": "Total Company Ratings received", + "legend": "BitsightCompany_rating_details_CL", + "baseQuery": "BitsightCompany_rating_details_CL" + }, + { + "metricName": "Total Diligence Historical Statistics data received", + "legend": "BitsightDiligence_historical_statistics_CL", + "baseQuery": "BitsightDiligence_historical_statistics_CL" + }, + { + "metricName": "Total Diligence Statistics data received", + "legend": "BitsightDiligence_statistics_CL", + "baseQuery": "BitsightDiligence_statistics_CL" + }, + { + "metricName": "Total Findings data received", + "legend": "BitsightFindings_data_CL", + "baseQuery": "BitsightFindings_data_CL" + }, + { + "metricName": "Total Findings Summary data received", + "legend": "BitsightFindings_summary_CL", + "baseQuery": "BitsightFindings_summary_CL" + }, + { + "metricName": "Total Graph data received", + "legend": "BitsightGraph_data_CL", + "baseQuery": "BitsightGraph_data_CL" + }, + { + "metricName": "Total Industrial Statistics data received", + "legend": "BitsightIndustrial_statistics_CL", + "baseQuery": "BitsightIndustrial_statistics_CL" + }, + { + "metricName": "Total Observation Statistics data received", + "legend": "BitsightObservation_statistics_CL", + "baseQuery": "BitsightObservation_statistics_CL" + } + ], + "dataTypes": [ + { + "name": "BitsightAlerts_data_CL", + "lastDataReceivedQuery": "BitsightAlerts_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightBreaches_data_CL", + "lastDataReceivedQuery": "BitsightBreaches_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightCompany_details_CL", + "lastDataReceivedQuery": "BitsightCompany_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightCompany_rating_details_CL", + "lastDataReceivedQuery": "BitsightCompany_rating_details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightDiligence_historical_statistics_CL", + "lastDataReceivedQuery": "BitsightDiligence_historical_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightDiligence_statistics_CL", + "lastDataReceivedQuery": "BitsightDiligence_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightFindings_data_CL", + "lastDataReceivedQuery": "BitsightFindings_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightFindings_summary_CL", + "lastDataReceivedQuery": "BitsightFindings_summary_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightGraph_data_CL", + "lastDataReceivedQuery": "BitsightGraph_data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightIndustrial_statistics_CL", + "lastDataReceivedQuery": "BitsightIndustrial_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitsightObservation_statistics_CL", + "lastDataReceivedQuery": "BitsightObservation_statistics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "BitsightAlerts_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightBreaches_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightCompany_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightCompany_rating_details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightDiligence_historical_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightDiligence_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightFindings_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightFindings_summary_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightGraph_data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightIndustrial_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "BitsightObservation_statistics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "BitSight Alert Events - Alerts Event for all Companies in portfolio.", + "query": "BitsightAlerts_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Breaches Events - Breaches Event for all Companies in portfolio.", + "query": "BitsightBreaches_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Company Details Events - Company Details Event for all Companies in portfolio.", + "query": "BitsightCompany_details_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Company Ratings Events - Company Ratings Event for all Companies.", + "query": "BitsightCompany_rating_details_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Diligence Historical Statistics Events - Diligence Historical Statistics Event for all Companies.", + "query": "BitsightDiligence_historical_statistics_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Diligence Statistics Events - Diligence Statistics Event for all Companies.", + "query": "BitsightDiligence_statistics_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Findings Events - Findings Event for all Companies.", + "query": "BitsightFindings_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Findings Summary Events - Findings Summary Event for all Companies.", + "query": "BitsightFindings_summary_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Graph Events - Graph Event for all Companies.", + "query": "BitsightGraph_data_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Industrial Statistics Events - Industrial Statistics Event for all Companies.", + "query": "BitsightIndustrial_statistics_CL\n | sort by TimeGenerated desc" + }, + { + "description": "BitSight Observation Statistics Events - Observation Statistics Event for all Companies.", + "query": "BitsightObservation_statistics_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Permission to assign a role to the registered application", + "description": "Permission to assign a role to the registered application in Microsoft Entra ID is required." + }, + { + "name": "REST API Credentials/permissions", + "description": "BitSight API Token is required. See the documentation to [learn more](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) about API Token." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the BitSight API to pull its logs into Microsoft Sentinel using the Logs Ingestion API (DCR). This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Steps to Create/Get Bitsight API Token**\n\n Follow these instructions to get a BitSight API Token.\n 1. For SPM App: Refer to the [User Preference](https://service.bitsight.com/app/spm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 2. For TPRM App: Refer to the [User Preference](https://service.bitsight.com/app/tprm/account) tab of your Account page, \n\t\tGo to Settings > Account > User Preferences > API Token.\n 3. For Classic BitSight: Go to your [Account](https://service.bitsight.com/settings) page, \n\t\tGo to Settings > Account > API Token." + }, + { + "description": "**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 3 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of BitSight Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of BitSight Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n" + }, + { + "description": "**STEP 5 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the BitSight data connector, have the BitSight API Token and Azure credentials (Client ID, Client Secret, Tenant ID, Object ID) readily available." + }, + { + "description": "Use this method for automated deployment of the BitSight connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BitSight-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Review + Create** and then **Create** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the BitSight data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-BitSight310-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. BitSightXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\n\t a. **FunctionName** - Name of the Azure Function App to be created. Default is BitSight. \n\n\t b. **API_token** - Enter API Token of your BitSight account. \n\n\t c. **Azure_Client_Id** - Enter Azure Client Id that you have created during app registration. \n\n\t d. **Azure_Client_Secret** - Enter Azure Client Secret that you have created during creating the client secret. \n\n\t e. **Azure_Tenant_Id** - Enter Azure Tenant Id of your Microsoft Entra ID. \n\n\t f. **Azure_Entra_Object_Id** - Enter Object id of your Microsoft Entra App. \n\n\t g. **Companies** - Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc. \n\n\t h. **Location** - The location in which the data collection rules and data collection endpoints should be deployed. \n\n\t i. **WorkspaceName** - Log analytics workspace name. Can be found under Log analytics \"Settings\". \n\n\t j. **Portfolio_Companies_Table_Name** - Name of the table to store portfolio companies. Default is BitsightPortfolio_Companies. Please do not keep this field as empty else you will get validation error. \n\n\t k. **Alerts_Table_Name** - Name of the table to store alerts. Default is BitsightAlerts_data. Please do not keep this field as empty else you will get validation error. \n\n\t l. **Breaches_Table_Name** - Name of the table to store breaches. Default is BitsightBreaches_data. Please do not keep this field as empty else you will get validation error. \n\n\t m. **Company_Table_Name** - Name of the table to store company details. Default is BitsightCompany_details. Please do not keep this field as empty else you will get validation error. \n\n\t n. **Company_Rating_Details_Table_Name** - Name of the table to store company rating details. Default is BitsightCompany_rating_details. Please do not keep this field as empty else you will get validation error. \n\n\t o. **Diligence_Historical_Statistics_Table_Name** - Name of the table to store diligence historical statistics. Default is BitsightDiligence_historical_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t p. **Diligence_Statistics_Table_Name** - Name of the table to store diligence statistics. Default is BitsightDiligence_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t q. **Findings_Summary_Table_Name** - Name of the table to store findings summary. Default is BitsightFindings_summary. Please do not keep this field as empty else you will get validation error. \n\n\t r. **Findings_Table_Name** - Name of the table to store findings data. Default is BitsightFindings_data. Please do not keep this field as empty else you will get validation error. \n\n\t s. **Graph_Table_Name** - Name of the table to store graph data. Default is BitsightGraph_data. Please do not keep this field as empty else you will get validation error. \n\n\t t. **Industrial_Statistics_Table_Name** - Name of the table to store industrial statistics. Default is BitsightIndustrial_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t u. **Observation_Statistics_Table_Name** - Name of the table to store observation statistics. Default is BitsightObservation_statistics. Please do not keep this field as empty else you will get validation error. \n\n\t v. **LogLevel** - Select log level or log severity value from DEBUG, INFO, ERROR. By default it is set to INFO. \n\n\t w. **Schedule** - Please enter a valid Quartz cron-expression. (Example: 0 0 * * * *). \n\n\t x. **Schedule_Portfolio** - Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *). \n\n\t y. **AppInsightsWorkspaceResourceID** - Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'. \n4. Once all application settings have been entered, click **Save**." + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "BitSight Security Events (via Codeless Connector Framework)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "BitSightEventsConnector", + "title": "BitSight Security Events (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security alerts, breaches, and findings from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. The connector monitors portfolio companies for rating changes, news alerts, data breaches, and detailed security findings across Diligence, Compromised Systems, and User Behavior risk categories. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", + "graphQueriesTableName": "BitSightAlerts", + "graphQueries": [ + { + "metricName": "Total Alerts received", + "legend": "BitSight Alerts", + "baseQuery": "{{graphQueriesTableName}}" + }, + { + "metricName": "Total Breaches received", + "legend": "BitSight Breaches", + "baseQuery": "BitSightBreaches" + }, + { + "metricName": "Total Findings received", + "legend": "BitSight Findings", + "baseQuery": "BitSightFindings" + } + ], + "sampleQueries": [ + { + "description": "Get sample of BitSight Alerts", + "query": "BitSightAlerts\n | take 10" + }, + { + "description": "Get recent high-severity alerts", + "query": "BitSightAlerts\n | where severity in ('WARN', 'CRITICAL') and TimeGenerated > ago(7d)\n | project TimeGenerated, company_name, alert_type, severity\n | order by TimeGenerated desc" + }, + { + "description": "Get sample of BitSight Findings", + "query": "BitSightFindings\n | take 10" + }, + { + "description": "Get active severe findings", + "query": "BitSightFindings\n | where currently_active == true and severity_category in ('MATERIAL', 'SEVERE')\n | project TimeGenerated, company_name, risk_vector_label, severity_category, severity, first_seen\n | order by severity desc" + }, + { + "description": "Get sample of BitSight Breaches", + "query": "BitSightBreaches\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightBreaches", + "lastDataReceivedQuery": "BitSightBreaches\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightFindings", + "lastDataReceivedQuery": "BitSightFindings\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "BitSight API Token", + "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." + } + ] + }, + "instructionSteps": [ + { + "title": "1. Connection Management", + "description": "Manage your BitSight data stream connections", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## BitSight Connections\n\nManage multiple BitSight data stream connections. Each connection selects a specific data type - **Alerts**, **Breaches**, or **Findings** - and assigns a **Connection Name** that is stored in the `ConnectorName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." + } + }, + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Connection Name", + "columnValue": "properties.addOnAttributes.friendlyName" + }, + { + "columnName": "Data Stream", + "columnValue": "properties.addOnAttributes.userStream" + }, + { + "columnName": "API URL", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + }, + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add Connection", + "title": "Add BitSight Connection", + "subtitle": "Configure a new BitSight data stream connection", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## 1. Select Data Stream\n\nChoose which BitSight data type to collect for this connection. Create separate connections for each stream you want to ingest." + } + }, + { + "type": "Dropdown", + "parameters": { + "label": "Data Stream", + "name": "dataStream", + "options": [ + { + "key": "ALERTS", + "text": "Alerts - Rating changes and news events (BitSightAlerts)" + }, + { + "key": "BREACHES", + "text": "Breaches - Data breach events for portfolio companies (BitSightBreaches)" + }, + { + "key": "DILIGENCE", + "text": "Diligence Findings - Web, app, and network risk factors (BitSightFindings)" + }, + { + "key": "COMPROMISED_SYSTEMS", + "text": "Compromised Systems Findings - Botnet and malware activity (BitSightFindings)" + }, + { + "key": "USER_BEHAVIOR", + "text": "User Behavior Findings - Credential and employee risk activity (BitSightFindings)" + } + ], + "required": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 2. API Configuration" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Base URL", + "placeholder": "https://api.bitsighttech.com", + "type": "text", + "name": "bitSightApiUrl", + "validations": { + "required": true + } + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Username)", + "placeholder": "Paste your BitSight API Token", + "type": "text", + "name": "username", + "validations": { + "required": true + } + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Password)", + "placeholder": "Paste your BitSight API Token again", + "type": "password", + "name": "password", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "Both fields must contain the **same API token value**. Entering different values will cause authentication to fail.", + "visible": true, + "inline": false + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", + "visible": true, + "inline": false + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Connection Name", + "placeholder": "e.g. BitSight-Alerts-Prod", + "type": "text", + "name": "friendlyName", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "The connection name is stored in the `ConnectorName` column of every ingested record, enabling you to trace data back to this specific connection.", + "visible": true, + "inline": true + } + } + ] + } + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "BitSightEventsDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]", + "streamDeclarations": { + "Custom-BitSightAlerts_CL": { + "columns": [ + { + "name": "guid", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "alert_date", + "type": "string" + }, + { + "name": "start_date", + "type": "string" + }, + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "company_url", + "type": "string" + }, + { + "name": "folder_guid", + "type": "string" + }, + { + "name": "folder_name", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "trigger", + "type": "string" + }, + { + "name": "alert_set_name", + "type": "string" + }, + { + "name": "alert_set_guid", + "type": "string" + }, + { + "name": "friendlyName", + "type": "string" + } + ] + }, + "Custom-BitSightBreaches_CL": { + "columns": [ + { + "name": "company_guid", + "type": "string" + }, + { + "name": "company_name", + "type": "string" + }, + { + "name": "guid", + "type": "string" + }, + { + "name": "date", + "type": "string" + }, + { + "name": "date_created", + "type": "string" + }, + { + "name": "text", + "type": "string" + }, + { + "name": "preview_url", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "event_type_description", + "type": "string" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "breached_companies", + "type": "dynamic" + }, + { + "name": "dependent_companies", + "type": "dynamic" + }, + { + "name": "friendlyName", + "type": "string" + } + ] + }, + "Custom-BitSightFindings_CL": { + "columns": [ + { + "name": "temporary_id", + "type": "string" + }, + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "risk_category", + "type": "string" + }, + { + "name": "risk_vector", + "type": "string" + }, + { + "name": "risk_vector_label", + "type": "string" + }, + { + "name": "severity_category", + "type": "string" + }, + { + "name": "severity", + "type": "real" + }, + { + "name": "first_seen", + "type": "string" + }, + { + "name": "last_seen", + "type": "string" + }, + { + "name": "currently_active", + "type": "boolean" + }, + { + "name": "asset_category", + "type": "string" + }, + { + "name": "assets", + "type": "dynamic" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "evidence_key", + "type": "string" + }, + { + "name": "attributed_companies", + "type": "dynamic" + }, + { + "name": "remediation_history", + "type": "dynamic" + }, + { + "name": "affects_rating", + "type": "boolean" + }, + { + "name": "comments", + "type": "dynamic" + }, + { + "name": "duration", + "type": "int" + }, + { + "name": "grace_period_end_date", + "type": "string" + }, + { + "name": "guest_network_end_date", + "type": "string" + }, + { + "name": "impacts_risk_vector_details", + "type": "dynamic" + }, + { + "name": "no_rv_grade_impact_end_date", + "type": "string" + }, + { + "name": "related_findings", + "type": "dynamic" + }, + { + "name": "remaining_decay", + "type": "int" + }, + { + "name": "remediated", + "type": "boolean" + }, + { + "name": "rolledup_observation_id", + "type": "string" + }, + { + "name": "tags", + "type": "dynamic" + }, + { + "name": "friendlyName", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-BitSightAlerts_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightAlerts_CL", + "transformKql": "source | extend TimeGenerated = iff(isnull(['alert_date']) or todatetime(['alert_date']) < ago(2d), now(), todatetime(['alert_date'])) , Guid = ['guid'] , AlertType = ['alert_type'] , AlertDate = ['alert_date'] , StartDate = ['start_date'] , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , CompanyUrl = ['company_url'] , FolderGuid = ['folder_guid'] , FolderName = ['folder_name'] , Severity = ['severity'] , Trigger = ['trigger'] , AlertSetName = ['alert_set_name'] , AlertSetGuid = ['alert_set_guid'] , ConnectorName = ['friendlyName'] | project TimeGenerated , Guid , AlertType , AlertDate , StartDate , CompanyName , CompanyGuid , CompanyUrl , FolderGuid , FolderName , Severity , Trigger , AlertSetName , AlertSetGuid , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightBreaches_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightBreaches_CL", + "transformKql": "source | extend TimeGenerated = iff(isnull(['date']) or todatetime(['date']) < ago(2d), now(), todatetime(['date'])) , CompanyGuid = ['company_guid'] , CompanyName = ['company_name'] , Guid = ['guid'] , BreachDate = ['date'] , DateCreated = ['date_created'] , Text = ['text'] , PreviewUrl = ['preview_url'] , EventType = ['event_type'] , EventTypeDescription = ['event_type_description'] , Severity = ['severity'] , BreachedCompanies = ['breached_companies'] , DependentCompanies = ['dependent_companies'] , ConnectorName = ['friendlyName'] | project TimeGenerated , CompanyGuid , CompanyName , Guid , BreachDate , DateCreated , Text , PreviewUrl , EventType , EventTypeDescription , Severity , BreachedCompanies , DependentCompanies , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightFindings_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightFindings_CL", + "transformKql": "source | extend TimeGenerated = iff(isnull(['last_seen']) or todatetime(['last_seen']) < ago(2d), now(), todatetime(['last_seen'])) , TemporaryId = ['temporary_id'] , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskCategory = ['risk_category'] , RiskVector = ['risk_vector'] , RiskVectorLabel = ['risk_vector_label'] , SeverityCategory = ['severity_category'] , Severity = ['severity'] , FirstSeen = ['first_seen'] , LastSeen = ['last_seen'] , CurrentlyActive = ['currently_active'] , AssetCategory = ['asset_category'] , Assets = ['assets'] , Details = ['details'] , EvidenceKey = ['evidence_key'] , AttributedCompanies = ['attributed_companies'] , RemediationHistory = ['remediation_history'] , AffectsRating = ['affects_rating'] , Comments = ['comments'] , Duration = ['duration'] , GracePeriodEndDate = ['grace_period_end_date'] , GuestNetworkEndDate = ['guest_network_end_date'] , ImpactsRiskVectorDetails = ['impacts_risk_vector_details'] , NoRvGradeImpactEndDate = ['no_rv_grade_impact_end_date'] , RelatedFindings = ['related_findings'] , RemainingDecay = ['remaining_decay'] , Remediated = ['remediated'] , RolledupObservationId = ['rolledup_observation_id'] , Tags = ['tags'] , ConnectorName = ['friendlyName'] | project TimeGenerated , TemporaryId , CompanyName , CompanyGuid , RiskCategory , RiskVector , RiskVectorLabel , SeverityCategory , Severity , FirstSeen , LastSeen , CurrentlyActive , AssetCategory , Assets , Details , EvidenceKey , AttributedCompanies , RemediationHistory , AffectsRating , Comments , Duration , GracePeriodEndDate , GuestNetworkEndDate , ImpactsRiskVectorDetails , NoRvGradeImpactEndDate , RelatedFindings , RemainingDecay , Remediated , RolledupObservationId , Tags , ConnectorName" + } + ] + } + }, + { + "name": "BitSightFindings_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightFindings_CL", + "description": "The BitSightFindings table contains security findings from the BitSight API including Diligence, Compromised Systems, and User Behavior findings for portfolio companies ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "TemporaryId", + "type": "string", + "description": "The temporary identifier for a finding." + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company associated with the finding." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company associated with the finding." + }, + { + "name": "RiskCategory", + "type": "string", + "description": "The risk category (e.g., Diligence, Compromised Systems, User Behavior)." + }, + { + "name": "RiskVector", + "type": "string", + "description": "The risk vector slug for this finding." + }, + { + "name": "RiskVectorLabel", + "type": "string", + "description": "Human-readable label for the risk vector." + }, + { + "name": "SeverityCategory", + "type": "string", + "description": "Severity category (MINOR, MODERATE, MATERIAL, SEVERE)." + }, + { + "name": "Severity", + "type": "real", + "description": "Numeric severity score." + }, + { + "name": "FirstSeen", + "type": "string", + "description": "Date the finding was first observed (YYYY-MM-DD)." + }, + { + "name": "LastSeen", + "type": "string", + "description": "Date the finding was most recently observed (YYYY-MM-DD)." + }, + { + "name": "CurrentlyActive", + "type": "boolean", + "description": "Indicates if the finding is currently active." + }, + { + "name": "AssetCategory", + "type": "string", + "description": "Category of the affected asset." + }, + { + "name": "Assets", + "type": "dynamic", + "description": "Array of assets associated with this finding." + }, + { + "name": "Details", + "type": "dynamic", + "description": "Detailed finding data object (CVE info, diligence annotations, remediations, etc.)." + }, + { + "name": "EvidenceKey", + "type": "string", + "description": "Key identifying the source of evidence for the finding." + }, + { + "name": "AttributedCompanies", + "type": "dynamic", + "description": "Array of companies to which this finding has been attributed." + }, + { + "name": "RemediationHistory", + "type": "dynamic", + "description": "Remediation history object (last_requested_refresh_date, last_refresh_status, etc.)." + }, + { + "name": "AffectsRating", + "type": "boolean", + "description": "Indicates whether this finding contributes to the company's overall rating." + }, + { + "name": "Comments", + "type": "dynamic", + "description": "Array of analyst comments attached to this finding." + }, + { + "name": "Duration", + "type": "int", + "description": "Number of days the finding has been active." + }, + { + "name": "GracePeriodEndDate", + "type": "string", + "description": "Date until which the finding is in a grace period and does not affect the rating (YYYY-MM-DD)." + }, + { + "name": "GuestNetworkEndDate", + "type": "string", + "description": "Date until which the finding is suppressed as a guest network (YYYY-MM-DD)." + }, + { + "name": "ImpactsRiskVectorDetails", + "type": "dynamic", + "description": "Object describing which risk vectors are impacted by this finding." + }, + { + "name": "NoRvGradeImpactEndDate", + "type": "string", + "description": "Date until which the finding has no risk vector grade impact (YYYY-MM-DD)." + }, + { + "name": "RelatedFindings", + "type": "dynamic", + "description": "Array of finding identifiers related to this finding." + }, + { + "name": "RemainingDecay", + "type": "int", + "description": "Number of days remaining in the finding's decay window." + }, + { + "name": "Remediated", + "type": "boolean", + "description": "Indicates whether this finding has been remediated." + }, + { + "name": "RolledupObservationId", + "type": "string", + "description": "Identifier of the rolled-up observation this finding belongs to." + }, + { + "name": "Tags", + "type": "dynamic", + "description": "Array of tags applied to this finding." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name assigned during connector setup." + } + ] + } + } + }, + { + "name": "BitSightCompanyDetails_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightCompanyDetails_CL", + "description": "The BitSightCompanyDetails table contains full company snapshots from the BitSight API per company GUID ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "Guid", + "type": "string", + "description": "Unique identifier (GUID) for the company in BitSight." + }, + { + "name": "Name", + "type": "string", + "description": "Name of the company." + }, + { + "name": "Shortname", + "type": "string", + "description": "Short name of the company." + }, + { + "name": "CompanyType", + "type": "string", + "description": "The type of entity (e.g., CURATED,PRIVATE)." + }, + { + "name": "Description", + "type": "string", + "description": "Description of the company." + }, + { + "name": "PrimaryDomain", + "type": "string", + "description": "Primary internet domain of the company." + }, + { + "name": "Homepage", + "type": "string", + "description": "URL of the company homepage." + }, + { + "name": "DisplayUrl", + "type": "string", + "description": "URL to the company overview page in BitSight portal." + }, + { + "name": "Sparkline", + "type": "string", + "description": "URL to the company rating sparkline image." + }, + { + "name": "Industry", + "type": "string", + "description": "Industry sector name." + }, + { + "name": "IndustrySlug", + "type": "string", + "description": "URL-friendly identifier for the industry." + }, + { + "name": "SubIndustry", + "type": "string", + "description": "Sub-industry name." + }, + { + "name": "SubIndustrySlug", + "type": "string", + "description": "URL-friendly identifier for the sub-industry." + }, + { + "name": "Ipv4Count", + "type": "int", + "description": "Number of IPv4 addresses attributed to the company." + }, + { + "name": "PeopleCount", + "type": "int", + "description": "Number of people associated with the company." + }, + { + "name": "SearchCount", + "type": "int", + "description": "Number of searches for the company." + }, + { + "name": "CustomerMonitoringCount", + "type": "int", + "description": "Number of customers monitoring this company." + }, + { + "name": "CurrentRating", + "type": "int", + "description": "Current overall BitSight security rating." + }, + { + "name": "RatingIndustryMedian", + "type": "string", + "description": "Comparison of company rating to industry median (e.g., above, below)." + }, + { + "name": "Ratings", + "type": "dynamic", + "description": "Array of historical rating snapshots, each with rating_date, rating, range, and rating_color." + }, + { + "name": "SubscriptionType", + "type": "string", + "description": "Type of BitSight subscription (e.g., Continuous Monitoring)." + }, + { + "name": "SubscriptionTypeKey", + "type": "string", + "description": "Machine-readable subscription type key." + }, + { + "name": "SubscriptionEndDate", + "type": "string", + "description": "Date the subscription ends (YYYY-MM-DD), or null." + }, + { + "name": "BulkEmailSenderStatus", + "type": "string", + "description": "Bulk email sender classification (e.g., NONE)." + }, + { + "name": "SecurityGrade", + "type": "string", + "description": "Security grade, if available." + }, + { + "name": "ServiceProvider", + "type": "boolean", + "description": "Indicates whether this company is a service provider." + }, + { + "name": "HasCompanyTree", + "type": "boolean", + "description": "Indicates whether the company has a company tree." + }, + { + "name": "HasPreferredContact", + "type": "boolean", + "description": "Indicates whether the company has a preferred contact." + }, + { + "name": "IsBundle", + "type": "boolean", + "description": "Indicates whether this is a bundle entry." + }, + { + "name": "IsPrimary", + "type": "boolean", + "description": "Indicates whether this is the primary company record." + }, + { + "name": "InSpmPortfolio", + "type": "boolean", + "description": "Indicates whether the company is in the SPM portfolio." + }, + { + "name": "IsMycompMysubsBundle", + "type": "boolean", + "description": "Indicates whether this is a my-company/my-subsidiaries bundle." + }, + { + "name": "IsCsp", + "type": "boolean", + "description": "Indicates whether the company is a cloud service provider." + }, + { + "name": "HasDelegatedSecurityControls", + "type": "boolean", + "description": "Indicates whether security controls have been delegated." + }, + { + "name": "CustomId", + "type": "dynamic", + "description": "Customer-assigned identifier for the company." + }, + { + "name": "AvailableUpgradeTypes", + "type": "dynamic", + "description": "Array of available upgrade types for this company." + }, + { + "name": "CompanyFeatures", + "type": "dynamic", + "description": "Array of feature flags enabled for the company." + }, + { + "name": "RelatedCompanies", + "type": "dynamic", + "description": "Array of related company references." + }, + { + "name": "PrimaryCompany", + "type": "dynamic", + "description": "Primary company object (guid, name), or null." + }, + { + "name": "ComplianceClaim", + "type": "dynamic", + "description": "Compliance claim object, or null." + }, + { + "name": "Permissions", + "type": "dynamic", + "description": "Object of permission flags for this company (can_annotate, can_view_forensics, etc.)." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitSightCompanyRatingDetails_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightCompanyRatingDetails_CL", + "description": "The BitSightCompanyRatingDetails table contains per-risk-vector rating breakdowns for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company." + }, + { + "name": "RiskVectorSlug", + "type": "string", + "description": "URL-friendly identifier for the risk vector (dict key — always null due to CCF JSONPath limitation; use RiskVectorLabel)." + }, + { + "name": "RiskVectorLabel", + "type": "string", + "description": "Human-readable name of the risk vector (API field: name)." + }, + { + "name": "RiskCategory", + "type": "string", + "description": "Parent risk category for the risk vector (API field: category)." + }, + { + "name": "CategoryOrder", + "type": "int", + "description": "Display order of the category." + }, + { + "name": "Rating", + "type": "int", + "description": "Numeric score for this risk vector." + }, + { + "name": "Grade", + "type": "string", + "description": "Letter grade for this risk vector." + }, + { + "name": "Percentile", + "type": "int", + "description": "Percentile rank compared to peers for this risk vector (0-100)." + }, + { + "name": "GradeColor", + "type": "string", + "description": "Hex color code associated with the grade for UI display (e.g., '#239563')." + }, + { + "name": "RiskVectorOrder", + "type": "int", + "description": "Display order of the risk vector within its category." + }, + { + "name": "DisplayUrl", + "type": "string", + "description": "URL to the risk vector detail page in BitSight portal." + }, + { + "name": "Beta", + "type": "boolean", + "description": "Indicates if this risk vector is in beta status." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitSightDiligenceHistoricalStatistics_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightDiligenceHistoricalStatistics_CL", + "description": "The BitSightDiligenceHistoricalStatistics table contains historical diligence statistics per company over time from the BitSight API ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company." + }, + { + "name": "RecordDate", + "type": "string", + "description": "The date of the historical record (YYYY-MM-DD)." + }, + { + "name": "Grade", + "type": "string", + "description": "Letter grade for this record period." + }, + { + "name": "Counts", + "type": "dynamic", + "description": "Array of per-category count objects ({ count, category }). Expanded row-per-category at query time by the KQL parser via mv-expand." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitSightDiligenceStatistics_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightDiligenceStatistics_CL", + "description": "The BitSightDiligenceStatistics table contains diligence statistics per risk vector for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company." + }, + { + "name": "RiskVector", + "type": "string", + "description": "Risk vector slug (dict key — always null due to CCF JSONPath limitation)." + }, + { + "name": "Unknown", + "type": "int", + "description": "Count of findings with unknown severity." + }, + { + "name": "Bad", + "type": "int", + "description": "Count of bad findings." + }, + { + "name": "Warn", + "type": "int", + "description": "Count of warn findings." + }, + { + "name": "Neutral", + "type": "int", + "description": "Count of neutral findings." + }, + { + "name": "Fair", + "type": "int", + "description": "Count of fair findings." + }, + { + "name": "Good", + "type": "int", + "description": "Count of good findings." + }, + { + "name": "SpearPhishing", + "type": "int", + "description": "[domain_squatting] Count of spear-phishing lookalike domains." + }, + { + "name": "BitFlip", + "type": "int", + "description": "[domain_squatting] Count of bit-flip lookalike domains." + }, + { + "name": "TypographicalErrors", + "type": "int", + "description": "[domain_squatting] Count of typographical-error lookalike domains." + }, + { + "name": "TldVariant", + "type": "int", + "description": "[domain_squatting] Count of TLD-variant lookalike domains." + }, + { + "name": "TotalCount", + "type": "int", + "description": "[domain_squatting] Total count of all lookalike domain types." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitSightFindingsSummary_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightFindingsSummary_CL", + "description": "The BitSightFindingsSummary table contains findings summary statistics per risk vector for each monitored company. Severity and description enrichment is resolved at query time by joining with BitsightVulnerabilitiesFindingsSummary on Name == DisplayName.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company associated with the findings summary." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company associated with the findings summary." + }, + { + "name": "StartDate", + "type": "string", + "description": "Start date of the reporting period (YYYY-MM-DD)." + }, + { + "name": "EndDate", + "type": "string", + "description": "End date of the reporting period (YYYY-MM-DD)." + }, + { + "name": "Stats", + "type": "dynamic", + "description": "Array of per-stat objects. Expanded row-per-stat at query time by the KQL parser via mv-expand into Name, StatId, Confidence, EventCount, HostCount, FirstSeen columns." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitsightIndustrialStatistics_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitsightIndustrialStatistics_CL", + "description": "The BitsightIndustrialStatistics table contains industry peer comparison statistics per risk vector for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company." + }, + { + "name": "RiskVector", + "type": "string", + "description": "Risk vector slug (dict key — always null due to CCF JSONPath limitation)." + }, + { + "name": "IncidentCount", + "type": "int", + "description": "Number of incidents for this risk vector in the industry over the measured period." + }, + { + "name": "CountPeriod", + "type": "string", + "description": "Measurement period (e.g., 'year')." + }, + { + "name": "AverageDurationDays", + "type": "real", + "description": "Average duration in days for incidents of this risk vector in the industry." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitSightObservationStatistics_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightObservationStatistics_CL", + "description": "The BitSightObservationStatistics table contains observations statistics per risk vector for each portfolio company from the BitSight API ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company." + }, + { + "name": "RiskVector", + "type": "string", + "description": "Risk vector slug (dict key — always null due to CCF JSONPath limitation)." + }, + { + "name": "ObservationCount", + "type": "int", + "description": "Total number of observations for this risk vector in the measurement period." + }, + { + "name": "CountPeriod", + "type": "string", + "description": "Measurement period (e.g., 'year')." + }, + { + "name": "AverageDurationDays", + "type": "real", + "description": "Average duration in days for observations." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitsightVulnerabilitiesFindingsSummary_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitsightVulnerabilitiesFindingsSummary_CL", + "description": "The BitsightVulnerabilitiesFindingsSummary table contains vulnerability reference data from the BitSight defaults API. Used at query time to enrich BitSightFindingsSummary with Severity and Description via the KQL parser.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "Name", + "type": "string", + "description": "Slug identifier for the vulnerability type (e.g., 'patching_cadence')." + }, + { + "name": "DisplayName", + "type": "string", + "description": "Human-readable name of the vulnerability type." + }, + { + "name": "Description", + "type": "string", + "description": "Description of what the vulnerability type measures." + }, + { + "name": "Severity", + "type": "string", + "description": "Severity level of the vulnerability type (e.g., 'high', 'medium', 'low')." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + }, + { + "name": "BitSightAlerts_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightAlerts_CL", + "description": "The BitSightAlerts table contains alert records from the BitSight API representing changes and news triggers for monitored portfolio companies ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "Guid", + "type": "string", + "description": "Unique identifier of the alert." + }, + { + "name": "AlertType", + "type": "string", + "description": "The type of alert (e.g., THIRD_PARTY_INTEL)." + }, + { + "name": "AlertDate", + "type": "string", + "description": "The date the alert was triggered (YYYY-MM-DD)." + }, + { + "name": "StartDate", + "type": "string", + "description": "The start date of the alert (YYYY-MM-DD)." + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company associated with the alert." + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company associated with the alert." + }, + { + "name": "CompanyUrl", + "type": "string", + "description": "URL of the company associated with the alert." + }, + { + "name": "FolderGuid", + "type": "string", + "description": "Folder GUID associated with the alert." + }, + { + "name": "FolderName", + "type": "string", + "description": "Folder name associated with the alert." + }, + { + "name": "Severity", + "type": "string", + "description": "Alert severity level (e.g., INFORMATIONAL)." + }, + { + "name": "Trigger", + "type": "string", + "description": "What triggered the alert." + }, + { + "name": "AlertSetName", + "type": "string", + "description": "Name of the alert set." + }, + { + "name": "AlertSetGuid", + "type": "string", + "description": "GUID of the alert set." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name assigned during connector setup." + } + ] + } + } + }, + { + "name": "BitSightBreaches_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitSightBreaches_CL", + "description": "The BitSightBreaches table contains data breach records from the BitSight API for monitored portfolio companies ingested into Microsoft Sentinel.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "CompanyGuid", + "type": "string", + "description": "GUID of the company that experienced the breach (enriched)." + }, + { + "name": "CompanyName", + "type": "string", + "description": "Name of the company that experienced the breach (enriched)." + }, + { + "name": "Guid", + "type": "string", + "description": "Unique identifier of the breach event." + }, + { + "name": "BreachDate", + "type": "string", + "description": "Date the breach event was recorded (YYYY-MM-DD)." + }, + { + "name": "DateCreated", + "type": "string", + "description": "Date this breach record was created in BitSight." + }, + { + "name": "Text", + "type": "string", + "description": "Description of the breach event." + }, + { + "name": "PreviewUrl", + "type": "string", + "description": "URL to a preview article about the breach." + }, + { + "name": "EventType", + "type": "string", + "description": "Breach event category (e.g., Human Error, Hacking)." + }, + { + "name": "EventTypeDescription", + "type": "string", + "description": "Detailed description of the breach event type." + }, + { + "name": "Severity", + "type": "int", + "description": "Numeric severity level of the breach." + }, + { + "name": "BreachedCompanies", + "type": "dynamic", + "description": "Array of companies directly affected by the breach." + }, + { + "name": "DependentCompanies", + "type": "dynamic", + "description": "Array of dependent companies impacted by this breach." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name assigned during connector setup." + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "BitSightEventsConnector", + "title": "BitSight Security Events (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security alerts, breaches, and findings from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. The connector monitors portfolio companies for rating changes, news alerts, data breaches, and detailed security findings across Diligence, Compromised Systems, and User Behavior risk categories. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", + "graphQueriesTableName": "BitSightAlerts", + "graphQueries": [ + { + "metricName": "Total Alerts received", + "legend": "BitSight Alerts", + "baseQuery": "{{graphQueriesTableName}}" + }, + { + "metricName": "Total Breaches received", + "legend": "BitSight Breaches", + "baseQuery": "BitSightBreaches" + }, + { + "metricName": "Total Findings received", + "legend": "BitSight Findings", + "baseQuery": "BitSightFindings" + } + ], + "sampleQueries": [ + { + "description": "Get sample of BitSight Alerts", + "query": "BitSightAlerts\n | take 10" + }, + { + "description": "Get recent high-severity alerts", + "query": "BitSightAlerts\n | where severity in ('WARN', 'CRITICAL') and TimeGenerated > ago(7d)\n | project TimeGenerated, company_name, alert_type, severity\n | order by TimeGenerated desc" + }, + { + "description": "Get sample of BitSight Findings", + "query": "BitSightFindings\n | take 10" + }, + { + "description": "Get active severe findings", + "query": "BitSightFindings\n | where currently_active == true and severity_category in ('MATERIAL', 'SEVERE')\n | project TimeGenerated, company_name, risk_vector_label, severity_category, severity, first_seen\n | order by severity desc" + }, + { + "description": "Get sample of BitSight Breaches", + "query": "BitSightBreaches\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightBreaches", + "lastDataReceivedQuery": "BitSightBreaches\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightFindings", + "lastDataReceivedQuery": "BitSightFindings\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "BitSight API Token", + "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." + } + ] + }, + "instructionSteps": [ + { + "title": "1. Connection Management", + "description": "Manage your BitSight data stream connections", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## BitSight Connections\n\nManage multiple BitSight data stream connections. Each connection selects a specific data type - **Alerts**, **Breaches**, or **Findings** - and assigns a **Connection Name** that is stored in the `ConnectorName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." + } + }, + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Connection Name", + "columnValue": "properties.addOnAttributes.friendlyName" + }, + { + "columnName": "Data Stream", + "columnValue": "properties.addOnAttributes.userStream" + }, + { + "columnName": "API URL", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + }, + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add Connection", + "title": "Add BitSight Connection", + "subtitle": "Configure a new BitSight data stream connection", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## 1. Select Data Stream\n\nChoose which BitSight data type to collect for this connection. Create separate connections for each stream you want to ingest." + } + }, + { + "type": "Dropdown", + "parameters": { + "label": "Data Stream", + "name": "dataStream", + "options": [ + { + "key": "ALERTS", + "text": "Alerts - Rating changes and news events (BitSightAlerts)" + }, + { + "key": "BREACHES", + "text": "Breaches - Data breach events for portfolio companies (BitSightBreaches)" + }, + { + "key": "DILIGENCE", + "text": "Diligence Findings - Web, app, and network risk factors (BitSightFindings)" + }, + { + "key": "COMPROMISED_SYSTEMS", + "text": "Compromised Systems Findings - Botnet and malware activity (BitSightFindings)" + }, + { + "key": "USER_BEHAVIOR", + "text": "User Behavior Findings - Credential and employee risk activity (BitSightFindings)" + } + ], + "required": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 2. API Configuration" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Base URL", + "placeholder": "https://api.bitsighttech.com", + "type": "text", + "name": "bitSightApiUrl", + "validations": { + "required": true + } + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Username)", + "placeholder": "Paste your BitSight API Token", + "type": "text", + "name": "username", + "validations": { + "required": true + } + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Password)", + "placeholder": "Paste your BitSight API Token again", + "type": "password", + "name": "password", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "Both fields must contain the **same API token value**. Entering different values will cause authentication to fail.", + "visible": true, + "inline": false + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", + "visible": true, + "inline": false + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Connection Name", + "placeholder": "e.g. BitSight-Alerts-Prod", + "type": "text", + "name": "friendlyName", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "The connection name is stored in the `ConnectorName` column of every ingested record, enabling you to trace data back to this specific connection.", + "visible": true, + "inline": true + } + } + ] + } + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "BitSight Security Events (via Codeless Connector Framework)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "connectorDefinitionName": { + "defaultValue": "BitSight Security Events (via Codeless Connector Framework)", + "type": "securestring", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "dataStream": { + "defaultValue": "dataStream", + "type": "array" + }, + "bitSightApiUrl": { + "defaultValue": "bitSightApiUrl", + "type": "securestring", + "minLength": 1 + }, + "username": { + "defaultValue": "username", + "type": "securestring", + "minLength": 1 + }, + "password": { + "defaultValue": "password", + "type": "securestring", + "minLength": 1 + }, + "friendlyName": { + "defaultValue": "friendlyName", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightAlerts' , uniqueString(parameters('friendlyName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/v2/alerts/')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 30, + "queryTimeFormat": "yyyy-MM-dd", + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "sort": "alert_date", + "alert_date_gte": "{_QueryWindowStartTime}", + "alert_date_lte": "{_QueryWindowEndTime}" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 1000, + "pageSizeParameterName": "limit" + }, + "connectorDefinitionName": "BitSightEventsConnector", + "dataType": "BitSightAlerts", + "dcrConfig": { + "streamName": "Custom-BitSightAlerts_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "friendlyName": "[[parameters('friendlyName')]", + "userStream": "ALERTS" + } + }, + "condition": "[[equals(parameters('dataStream')[0], 'ALERTS')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightBreaches' , uniqueString(parameters('friendlyName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_company_breaches", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_company_breaches": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/v1/companies/$company_guid_PlaceHolder$/providers/breaches')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "queryTimeFormat": "yyyy-MM-dd", + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "date_created_gte": "{_QueryWindowStartTime}", + "date_created_lte": "{_QueryWindowEndTime}" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParaName": "limit" + } + } + }, + "connectorDefinitionName": "BitSightEventsConnector", + "dataType": "BitSightBreaches", + "dcrConfig": { + "streamName": "Custom-BitSightBreaches_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "friendlyName": "[[parameters('friendlyName')]", + "userStream": "BREACHES" + } + }, + "condition": "[[equals(parameters('dataStream')[0], 'BREACHES')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindings' , uniqueString(parameters('friendlyName')), uniqueString('Diligence') )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_company_findings", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_company_findings": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "queryTimeFormat": "yyyy-MM-dd", + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "sort": "last_seen", + "expand": "attributed_companies", + "risk_category": "Diligence", + "last_seen_gte": "{_QueryWindowStartTime}", + "last_seen_lte": "{_QueryWindowEndTime}" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 1000, + "pageSizeParaName": "limit" + } + } + }, + "connectorDefinitionName": "BitSightEventsConnector", + "dataType": "BitSightFindings", + "dcrConfig": { + "streamName": "Custom-BitSightFindings_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "userStream": "DILIGENCE", + "friendlyName": "[[parameters('friendlyName')]" + } + }, + "condition": "[[equals(parameters('dataStream')[0], 'DILIGENCE')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindings' , uniqueString(parameters('friendlyName')), uniqueString('Compromised Systems') )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_company_findings", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_company_findings": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "queryTimeFormat": "yyyy-MM-dd", + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "sort": "last_seen", + "expand": "attributed_companies", + "risk_category": "Compromised Systems", + "last_seen_gte": "{_QueryWindowStartTime}", + "last_seen_lte": "{_QueryWindowEndTime}" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 1000, + "pageSizeParaName": "limit" + } + } + }, + "connectorDefinitionName": "BitSightEventsConnector", + "dataType": "BitSightFindings", + "dcrConfig": { + "streamName": "Custom-BitSightFindings_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "userStream": "COMPROMISED_SYSTEMS", + "friendlyName": "[[parameters('friendlyName')]" + } + }, + "condition": "[[equals(parameters('dataStream')[0], 'COMPROMISED_SYSTEMS')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindings' , uniqueString(parameters('friendlyName')), uniqueString('User Behavior') )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_company_findings", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_company_findings": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "queryTimeFormat": "yyyy-MM-dd", + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "sort": "last_seen", + "expand": "attributed_companies", + "risk_category": "User Behavior", + "last_seen_gte": "{_QueryWindowStartTime}", + "last_seen_lte": "{_QueryWindowEndTime}" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 1000, + "pageSizeParaName": "limit" + } + } + }, + "connectorDefinitionName": "BitSightEventsConnector", + "dataType": "BitSightFindings", + "dcrConfig": { + "streamName": "Custom-BitSightFindings_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "userStream": "USER_BEHAVIOR", + "friendlyName": "[[parameters('friendlyName')]" + } + }, + "condition": "[[equals(parameters('dataStream')[0], 'USER_BEHAVIOR')]" + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition3'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", + "displayName": "BitSight Security Statistics (via Codeless Connector Framework)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "BitSightStatisticsConnector", + "title": "BitSight Security Statistics (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security statistics, company profiles, rating details, diligence history, risk vector statistics, and vulnerability data from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", + "graphQueriesTableName": "BitSightCompanyDetails", + "graphQueries": [ + { + "metricName": "Total Company Detail records received", + "legend": "BitSight Company Details", + "baseQuery": "{{graphQueriesTableName}}" + }, + { + "metricName": "Total Company Rating Details received", + "legend": "BitSight Company Rating Details", + "baseQuery": "BitSightCompanyRatingDetails" + }, + { + "metricName": "Total Diligence Historical Statistics received", + "legend": "BitSight Diligence Historical Statistics", + "baseQuery": "BitSightDiligenceHistoricalStatistics" + }, + { + "metricName": "Total Diligence Statistics received", + "legend": "BitSight Diligence Statistics", + "baseQuery": "BitSightDiligenceStatistics" + }, + { + "metricName": "Total Observations Statistics received", + "legend": "BitSight Observations Statistics", + "baseQuery": "BitSightObservationStatistics" + }, + { + "metricName": "Total Industries Statistics received", + "legend": "BitSight Industries Statistics", + "baseQuery": "BitsightIndustrialStatistics" + }, + { + "metricName": "Total Findings Summary records received", + "legend": "BitSight Findings Summary", + "baseQuery": "BitSightFindingsSummary" + }, + { + "metricName": "Total Vulnerabilities received", + "legend": "BitSight Vulnerabilities", + "baseQuery": "BitsightVulnerabilitiesFindingsSummary" + } + ], + "sampleQueries": [ + { + "description": "Get sample of BitSight Company Details", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Get company security ratings over time", + "query": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(90d)\n | summarize LatestRating = arg_max(TimeGenerated, CurrentRating) by Name\n | order by LatestRating asc" + }, + { + "description": "Get sample of BitSight Company Rating Details", + "query": "BitSightCompanyRatingDetails\n | take 10" + }, + { + "description": "Get findings summary with latest data per company/stat", + "query": "BitSightFindingsSummary\n | where TimeGenerated > ago(1d)\n | take 10" + }, + { + "description": "Get sample of BitSight Vulnerabilities", + "query": "BitsightVulnerabilitiesFindingsSummary\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightCompanyRatingDetails", + "lastDataReceivedQuery": "BitSightCompanyRatingDetails\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightFindingsSummary", + "lastDataReceivedQuery": "BitSightFindingsSummary\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightDiligenceHistoricalStatistics", + "lastDataReceivedQuery": "BitSightDiligenceHistoricalStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitSightDiligenceStatistics", + "lastDataReceivedQuery": "BitSightDiligenceStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitSightObservationStatistics", + "lastDataReceivedQuery": "BitSightObservationStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitsightIndustrialStatistics", + "lastDataReceivedQuery": "BitsightIndustrialStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitsightVulnerabilitiesFindingsSummary", + "lastDataReceivedQuery": "BitsightVulnerabilitiesFindingsSummary\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "BitSight API Token", + "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." + } + ] + }, + "instructionSteps": [ + { + "title": "1. Connection Management", + "description": "Manage your BitSight statistics data stream connections", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## BitSight Statistics Connections\n\nManage multiple BitSight statistics connections. Each connection selects one or more **data streams** to ingest and assigns a **Connection Name** stored in the `connectionName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." + } + }, + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Connection Name", + "columnValue": "properties.addOnAttributes.connectionName" + }, + { + "columnName": "Active Streams", + "columnValue": "properties.addOnAttributes.streams" + }, + { + "columnName": "API URL", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + }, + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add Connection", + "title": "Add BitSight Statistics Connection", + "subtitle": "Configure a new BitSight statistics connection", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## 1. Select Data Streams\n\nChoose which BitSight statistics data types to collect for this connection. You can select multiple streams." + } + }, + { + "type": "Dropdown", + "parameters": { + "label": "Data Streams", + "name": "streams", + "options": [ + { + "key": "FindingsSummary", + "text": "FindingsSummary" + }, + { + "key": "CompanyDetails", + "text": "CompanyDetails" + }, + { + "key": "CompanyRatingDetails", + "text": "CompanyRatingDetails" + }, + { + "key": "DiligenceHistoricalStatistics", + "text": "DiligenceHistoricalStatistics" + }, + { + "key": "RiskVectorStatistics", + "text": "RiskVectorStatistics" + }, + { + "key": "IndustriesStatistics", + "text": "IndustriesStatistics" + }, + { + "key": "Vulnerabilities", + "text": "Vulnerabilities" + }, + { + "key": "ObservationsStatistics", + "text": "ObservationsStatistics" + } + ], + "isMultiSelect": true, + "defaultAllSelected": false, + "required": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 2. API Configuration" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Base URL", + "placeholder": "https://api.bitsighttech.com", + "type": "text", + "name": "bitSightApiUrl", + "validations": { + "required": true + } + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Username)", + "placeholder": "Paste your BitSight API Token", + "type": "text", + "name": "username", + "validations": { + "required": true + } + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Password)", + "placeholder": "Paste your BitSight API Token again", + "type": "password", + "name": "password", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", + "visible": true, + "inline": false + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Connection Name", + "placeholder": "e.g. BitSight-Statistics-Prod", + "type": "text", + "name": "connectionName", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "The connection name is stored in the `connectionName` column of every ingested record, enabling you to trace data back to this specific connection.", + "visible": true, + "inline": true + } + } + ] + } + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "BitSightStatisticsDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId3')]", + "streamDeclarations": { + "Custom-BitSightFindingsSummary_CL": { + "columns": [ + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "start_date", + "type": "string" + }, + { + "name": "end_date", + "type": "string" + }, + { + "name": "stats", + "type": "dynamic" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitSightCompanyDetails_CL": { + "columns": [ + { + "name": "guid", + "type": "string" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "shortname", + "type": "string" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "primary_domain", + "type": "string" + }, + { + "name": "homepage", + "type": "string" + }, + { + "name": "display_url", + "type": "string" + }, + { + "name": "sparkline", + "type": "string" + }, + { + "name": "industry", + "type": "string" + }, + { + "name": "industry_slug", + "type": "string" + }, + { + "name": "sub_industry", + "type": "string" + }, + { + "name": "sub_industry_slug", + "type": "string" + }, + { + "name": "ipv4_count", + "type": "int" + }, + { + "name": "people_count", + "type": "int" + }, + { + "name": "search_count", + "type": "int" + }, + { + "name": "customer_monitoring_count", + "type": "int" + }, + { + "name": "current_rating", + "type": "int" + }, + { + "name": "rating_industry_median", + "type": "string" + }, + { + "name": "ratings", + "type": "dynamic" + }, + { + "name": "subscription_type", + "type": "string" + }, + { + "name": "subscription_type_key", + "type": "string" + }, + { + "name": "subscription_end_date", + "type": "string" + }, + { + "name": "bulk_email_sender_status", + "type": "string" + }, + { + "name": "security_grade", + "type": "string" + }, + { + "name": "service_provider", + "type": "boolean" + }, + { + "name": "has_company_tree", + "type": "boolean" + }, + { + "name": "has_preferred_contact", + "type": "boolean" + }, + { + "name": "is_bundle", + "type": "boolean" + }, + { + "name": "is_primary", + "type": "boolean" + }, + { + "name": "in_spm_portfolio", + "type": "boolean" + }, + { + "name": "is_mycomp_mysubs_bundle", + "type": "boolean" + }, + { + "name": "is_csp", + "type": "boolean" + }, + { + "name": "has_delegated_security_controls", + "type": "boolean" + }, + { + "name": "custom_id", + "type": "dynamic" + }, + { + "name": "available_upgrade_types", + "type": "dynamic" + }, + { + "name": "company_features", + "type": "dynamic" + }, + { + "name": "related_companies", + "type": "dynamic" + }, + { + "name": "primary_company", + "type": "dynamic" + }, + { + "name": "compliance_claim", + "type": "dynamic" + }, + { + "name": "permissions", + "type": "dynamic" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitSightCompanyRatingDetails_CL": { + "columns": [ + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "risk_vector_slug", + "type": "string" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "category_order", + "type": "int" + }, + { + "name": "rating", + "type": "int" + }, + { + "name": "grade", + "type": "string" + }, + { + "name": "percentile", + "type": "int" + }, + { + "name": "grade_color", + "type": "string" + }, + { + "name": "order", + "type": "int" + }, + { + "name": "display_url", + "type": "string" + }, + { + "name": "beta", + "type": "boolean" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitSightDiligenceHistoricalStatistics_CL": { + "columns": [ + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "date", + "type": "string" + }, + { + "name": "grade", + "type": "string" + }, + { + "name": "counts", + "type": "dynamic" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitSightDiligenceStatistics_CL": { + "columns": [ + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "risk_vector", + "type": "string" + }, + { + "name": "unknown", + "type": "int" + }, + { + "name": "bad", + "type": "int" + }, + { + "name": "warn", + "type": "int" + }, + { + "name": "neutral", + "type": "int" + }, + { + "name": "fair", + "type": "int" + }, + { + "name": "good", + "type": "int" + }, + { + "name": "spear_phishing", + "type": "int" + }, + { + "name": "bit_flip", + "type": "int" + }, + { + "name": "typographical_errors", + "type": "int" + }, + { + "name": "tld_variant", + "type": "int" + }, + { + "name": "total_count", + "type": "int" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitSightObservationStatistics_CL": { + "columns": [ + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "risk_vector", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "count_period", + "type": "string" + }, + { + "name": "average_duration_days", + "type": "real" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitsightVulnerabilitiesFindingsSummary_CL": { + "columns": [ + { + "name": "name", + "type": "string" + }, + { + "name": "display_name", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "connectionName", + "type": "string" + } + ] + }, + "Custom-BitsightIndustrialStatistics_CL": { + "columns": [ + { + "name": "company_name", + "type": "string" + }, + { + "name": "company_guid", + "type": "string" + }, + { + "name": "risk_vector", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "count_period", + "type": "string" + }, + { + "name": "average_duration_days", + "type": "real" + }, + { + "name": "connectionName", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-BitSightFindingsSummary_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightFindingsSummary_CL", + "transformKql": "source | extend TimeGenerated = iff(isnull(['end_date']) or todatetime(['end_date']) < ago(2d), now(), todatetime(['end_date'])) , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , StartDate = ['start_date'] , EndDate = ['end_date'] , Stats = ['stats'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , StartDate , EndDate , Stats , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightCompanyDetails_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightCompanyDetails_CL", + "transformKql": "source | extend TimeGenerated = now() , Guid = ['guid'] , Name = ['name'] , Shortname = ['shortname'] , CompanyType = ['type'] , Description = ['description'] , PrimaryDomain = ['primary_domain'] , Homepage = ['homepage'] , DisplayUrl = ['display_url'] , Sparkline = ['sparkline'] , Industry = ['industry'] , IndustrySlug = ['industry_slug'] , SubIndustry = ['sub_industry'] , SubIndustrySlug = ['sub_industry_slug'] , Ipv4Count = ['ipv4_count'] , PeopleCount = ['people_count'] , SearchCount = ['search_count'] , CustomerMonitoringCount = ['customer_monitoring_count'] , CurrentRating = ['current_rating'] , RatingIndustryMedian = ['rating_industry_median'] , Ratings = ['ratings'] , SubscriptionType = ['subscription_type'] , SubscriptionTypeKey = ['subscription_type_key'] , SubscriptionEndDate = ['subscription_end_date'] , BulkEmailSenderStatus = ['bulk_email_sender_status'] , SecurityGrade = ['security_grade'] , ServiceProvider = ['service_provider'] , HasCompanyTree = ['has_company_tree'] , HasPreferredContact = ['has_preferred_contact'] , IsBundle = ['is_bundle'] , IsPrimary = ['is_primary'] , InSpmPortfolio = ['in_spm_portfolio'] , IsMycompMysubsBundle = ['is_mycomp_mysubs_bundle'] , IsCsp = ['is_csp'] , HasDelegatedSecurityControls = ['has_delegated_security_controls'] , CustomId = ['custom_id'] , AvailableUpgradeTypes = ['available_upgrade_types'] , CompanyFeatures = ['company_features'] , RelatedCompanies = ['related_companies'] , PrimaryCompany = ['primary_company'] , ComplianceClaim = ['compliance_claim'] , Permissions = ['permissions'] , ConnectorName = ['connectionName'] | project TimeGenerated , Guid , Name , Shortname , CompanyType , Description , PrimaryDomain , Homepage , DisplayUrl , Sparkline , Industry , IndustrySlug , SubIndustry , SubIndustrySlug , Ipv4Count , PeopleCount , SearchCount , CustomerMonitoringCount , CurrentRating , RatingIndustryMedian , Ratings , SubscriptionType , SubscriptionTypeKey , SubscriptionEndDate , BulkEmailSenderStatus , SecurityGrade , ServiceProvider , HasCompanyTree , HasPreferredContact , IsBundle , IsPrimary , InSpmPortfolio , IsMycompMysubsBundle , IsCsp , HasDelegatedSecurityControls , CustomId , AvailableUpgradeTypes , CompanyFeatures , RelatedCompanies , PrimaryCompany , ComplianceClaim , Permissions , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightCompanyRatingDetails_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightCompanyRatingDetails_CL", + "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVectorSlug = ['risk_vector_slug'] , RiskVectorLabel = ['name'] , RiskCategory = ['category'] , CategoryOrder = ['category_order'] , Rating = ['rating'] , Grade = ['grade'] , Percentile = ['percentile'] , GradeColor = ['grade_color'] , RiskVectorOrder = ['order'] , DisplayUrl = ['display_url'] , Beta = ['beta'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVectorSlug , RiskVectorLabel , RiskCategory , CategoryOrder , Rating , Grade , Percentile , GradeColor , RiskVectorOrder , DisplayUrl , Beta , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightDiligenceHistoricalStatistics_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightDiligenceHistoricalStatistics_CL", + "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RecordDate = ['date'] , Grade = ['grade'] , Counts = ['counts'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RecordDate , Grade , Counts , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightDiligenceStatistics_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightDiligenceStatistics_CL", + "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVector = ['risk_vector'] , Unknown = ['unknown'] , Bad = ['bad'] , Warn = ['warn'] , Neutral = ['neutral'] , Fair = ['fair'] , Good = ['good'] , SpearPhishing = ['spear_phishing'] , BitFlip = ['bit_flip'] , TypographicalErrors = ['typographical_errors'] , TldVariant = ['tld_variant'] , TotalCount = ['total_count'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVector , Unknown , Bad , Warn , Neutral , Fair , Good , SpearPhishing , BitFlip , TypographicalErrors , TldVariant , TotalCount , ConnectorName" + }, + { + "streams": [ + "Custom-BitSightObservationStatistics_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitSightObservationStatistics_CL", + "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVector = ['risk_vector'] , ObservationCount = ['count'] , CountPeriod = ['count_period'] , AverageDurationDays = ['average_duration_days'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVector , ObservationCount , CountPeriod , AverageDurationDays , ConnectorName" + }, + { + "streams": [ + "Custom-BitsightIndustrialStatistics_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitsightIndustrialStatistics_CL", + "transformKql": "source | extend TimeGenerated = now() , CompanyName = ['company_name'] , CompanyGuid = ['company_guid'] , RiskVector = ['risk_vector'] , IncidentCount = ['count'] , CountPeriod = ['count_period'] , AverageDurationDays = ['average_duration_days'] , ConnectorName = ['connectionName'] | project TimeGenerated , CompanyName , CompanyGuid , RiskVector , IncidentCount , CountPeriod , AverageDurationDays , ConnectorName" + }, + { + "streams": [ + "Custom-BitsightVulnerabilitiesFindingsSummary_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-BitsightVulnerabilitiesFindingsSummary_CL", + "transformKql": "source | extend TimeGenerated = now() , Name = ['name'] , DisplayName = ['display_name'] , Description = ['description'] , Severity = ['severity'] , ConnectorName = ['connectionName'] | project TimeGenerated , Name , DisplayName , Description , Severity , ConnectorName" + } + ] + } + }, + { + "name": "BitsightVulnerabilitiesFindingsSummary_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "retentionInDays": 180, + "schema": { + "name": "BitsightVulnerabilitiesFindingsSummary_CL", + "description": "The BitsightVulnerabilitiesFindingsSummary table contains vulnerability reference data from the BitSight defaults API. Used at query time to enrich BitSightFindingsSummary with Severity and Description via the KQL parser.", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": true + }, + { + "name": "Name", + "type": "string", + "description": "Slug identifier for the vulnerability type (e.g., 'patching_cadence')." + }, + { + "name": "DisplayName", + "type": "string", + "description": "Human-readable name of the vulnerability type." + }, + { + "name": "Description", + "type": "string", + "description": "Description of what the vulnerability type measures." + }, + { + "name": "Severity", + "type": "string", + "description": "Severity level of the vulnerability type (e.g., 'high', 'medium', 'low')." + }, + { + "name": "ConnectorName", + "type": "string", + "description": "Connection name identifier for multi-instance tracking." + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition3'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "BitSightStatisticsConnector", + "title": "BitSight Security Statistics (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [BitSight](https://www.bitsight.com/) data connector provides the capability to ingest security statistics, company profiles, rating details, diligence history, risk vector statistics, and vulnerability data from your BitSight portfolio into Microsoft Sentinel through the BitSight REST API. Refer to the [BitSight API documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) for more information.", + "graphQueriesTableName": "BitSightCompanyDetails", + "graphQueries": [ + { + "metricName": "Total Company Detail records received", + "legend": "BitSight Company Details", + "baseQuery": "{{graphQueriesTableName}}" + }, + { + "metricName": "Total Company Rating Details received", + "legend": "BitSight Company Rating Details", + "baseQuery": "BitSightCompanyRatingDetails" + }, + { + "metricName": "Total Diligence Historical Statistics received", + "legend": "BitSight Diligence Historical Statistics", + "baseQuery": "BitSightDiligenceHistoricalStatistics" + }, + { + "metricName": "Total Diligence Statistics received", + "legend": "BitSight Diligence Statistics", + "baseQuery": "BitSightDiligenceStatistics" + }, + { + "metricName": "Total Observations Statistics received", + "legend": "BitSight Observations Statistics", + "baseQuery": "BitSightObservationStatistics" + }, + { + "metricName": "Total Industries Statistics received", + "legend": "BitSight Industries Statistics", + "baseQuery": "BitsightIndustrialStatistics" + }, + { + "metricName": "Total Findings Summary records received", + "legend": "BitSight Findings Summary", + "baseQuery": "BitSightFindingsSummary" + }, + { + "metricName": "Total Vulnerabilities received", + "legend": "BitSight Vulnerabilities", + "baseQuery": "BitsightVulnerabilitiesFindingsSummary" + } + ], + "sampleQueries": [ + { + "description": "Get sample of BitSight Company Details", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Get company security ratings over time", + "query": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(90d)\n | summarize LatestRating = arg_max(TimeGenerated, CurrentRating) by Name\n | order by LatestRating asc" + }, + { + "description": "Get sample of BitSight Company Rating Details", + "query": "BitSightCompanyRatingDetails\n | take 10" + }, + { + "description": "Get findings summary with latest data per company/stat", + "query": "BitSightFindingsSummary\n | where TimeGenerated > ago(1d)\n | take 10" + }, + { + "description": "Get sample of BitSight Vulnerabilities", + "query": "BitsightVulnerabilitiesFindingsSummary\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightCompanyRatingDetails", + "lastDataReceivedQuery": "BitSightCompanyRatingDetails\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightFindingsSummary", + "lastDataReceivedQuery": "BitSightFindingsSummary\n | where TimeGenerated > ago(12h)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "BitSightDiligenceHistoricalStatistics", + "lastDataReceivedQuery": "BitSightDiligenceHistoricalStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitSightDiligenceStatistics", + "lastDataReceivedQuery": "BitSightDiligenceStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitSightObservationStatistics", + "lastDataReceivedQuery": "BitSightObservationStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitsightIndustrialStatistics", + "lastDataReceivedQuery": "BitsightIndustrialStatistics\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "BitsightVulnerabilitiesFindingsSummary", + "lastDataReceivedQuery": "BitsightVulnerabilitiesFindingsSummary\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "BitSight API Token", + "description": "A BitSight API Token is required to authenticate requests to the BitSight REST API. [See the documentation](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) to learn more about API Token management." + } + ] + }, + "instructionSteps": [ + { + "title": "1. Connection Management", + "description": "Manage your BitSight statistics data stream connections", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## BitSight Statistics Connections\n\nManage multiple BitSight statistics connections. Each connection selects one or more **data streams** to ingest and assigns a **Connection Name** stored in the `connectionName` column of every ingested record.\n\n> **Authentication**: BitSight uses HTTP Basic Authentication where the API token is used as **both** the username and password." + } + }, + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Connection Name", + "columnValue": "properties.addOnAttributes.connectionName" + }, + { + "columnName": "Active Streams", + "columnValue": "properties.addOnAttributes.streams" + }, + { + "columnName": "API URL", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + }, + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add Connection", + "title": "Add BitSight Statistics Connection", + "subtitle": "Configure a new BitSight statistics connection", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "## 1. Select Data Streams\n\nChoose which BitSight statistics data types to collect for this connection. You can select multiple streams." + } + }, + { + "type": "Dropdown", + "parameters": { + "label": "Data Streams", + "name": "streams", + "options": [ + { + "key": "FindingsSummary", + "text": "FindingsSummary" + }, + { + "key": "CompanyDetails", + "text": "CompanyDetails" + }, + { + "key": "CompanyRatingDetails", + "text": "CompanyRatingDetails" + }, + { + "key": "DiligenceHistoricalStatistics", + "text": "DiligenceHistoricalStatistics" + }, + { + "key": "RiskVectorStatistics", + "text": "RiskVectorStatistics" + }, + { + "key": "IndustriesStatistics", + "text": "IndustriesStatistics" + }, + { + "key": "Vulnerabilities", + "text": "Vulnerabilities" + }, + { + "key": "ObservationsStatistics", + "text": "ObservationsStatistics" + } + ], + "isMultiSelect": true, + "defaultAllSelected": false, + "required": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 2. API Configuration" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Base URL", + "placeholder": "https://api.bitsighttech.com", + "type": "text", + "name": "bitSightApiUrl", + "validations": { + "required": true + } + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 3. Authentication\n\nBitSight uses your API token as **both** the username and password for HTTP Basic Authentication." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Username)", + "placeholder": "Paste your BitSight API Token", + "type": "text", + "name": "username", + "validations": { + "required": true + } + } + }, + { + "type": "Textbox", + "parameters": { + "label": "BitSight API Token (Password)", + "placeholder": "Paste your BitSight API Token again", + "type": "password", + "name": "password", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "Obtain your API Token from **Settings > Account > User Preferences > API Token** in the BitSight portal.", + "visible": true, + "inline": false + } + }, + { + "type": "Markdown", + "parameters": { + "content": "## 4. Connection Name\n\nAssign a unique name to identify this connection in the grid and in every ingested log record." + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Connection Name", + "placeholder": "e.g. BitSight-Statistics-Prod", + "type": "text", + "name": "connectionName", + "validations": { + "required": true + } + } + }, + { + "type": "InfoMessage", + "parameters": { + "text": "The connection name is stored in the `connectionName` column of every ingested record, enabling you to trace data back to this specific connection.", + "visible": true, + "inline": true + } + } + ] + } + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections3'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "displayName": "BitSight Security Statistics (via Codeless Connector Framework)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "connectorDefinitionName": { + "defaultValue": "BitSight Security Statistics (via Codeless Connector Framework)", + "type": "securestring", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "streams": { + "defaultValue": "streams", + "type": "array" + }, + "bitSightApiUrl": { + "defaultValue": "bitSightApiUrl", + "type": "securestring", + "minLength": 1 + }, + "username": { + "defaultValue": "username", + "type": "securestring", + "minLength": 1 + }, + "password": { + "defaultValue": "password", + "type": "securestring", + "minLength": 1 + }, + "connectionName": { + "defaultValue": "connectionName", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections3": "[variables('_dataConnectorContentIdConnections3')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections3')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections3'))]", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + } + } + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightFindingsSummary' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_findings_summary", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_findings_summary": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/findings/summary')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$[*]" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitSightFindingsSummary", + "dcrConfig": { + "streamName": "Custom-BitSightFindingsSummary_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'FindingsSummary')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightCompanyDetails' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_company_detail", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_company_detail": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitSightCompanyDetails", + "dcrConfig": { + "streamName": "Custom-BitSightCompanyDetails_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'CompanyDetails')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightCompanyRatingDetails' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_rating_details", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_rating_details": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$.rating_details.*" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitSightCompanyRatingDetails", + "dcrConfig": { + "streamName": "Custom-BitSightCompanyRatingDetails_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'CompanyRatingDetails')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightDiligenceHistoricalStatistics' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_diligence_historical", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_diligence_historical": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/diligence/historical-statistics')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitSightDiligenceHistoricalStatistics", + "dcrConfig": { + "streamName": "Custom-BitSightDiligenceHistoricalStatistics_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'DiligenceHistoricalStatistics')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightDiligenceStatistics' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_diligence_statistics", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_diligence_statistics": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/diligence/statistics')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$.risk_vectors.*" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitSightDiligenceStatistics", + "dcrConfig": { + "streamName": "Custom-BitSightDiligenceStatistics_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'RiskVectorStatistics')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitSightObservationStatistics' , uniqueString(parameters('connectionName')), uniqueString('Obs') )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_observations_statistics", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_observations_statistics": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/observations/statistics')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$.risk_vectors.*" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitSightObservationStatistics", + "dcrConfig": { + "streamName": "Custom-BitSightObservationStatistics_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'ObservationsStatistics')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitsightIndustrialStatistics' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v2/portfolio')]", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + }, + "queryParameters": { + "fields": "name,guid" + } + }, + "response": { + "eventsJsonPaths": [ + "$.results[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "stepInfo": { + "stepType": "Nested", + "nextSteps": [ + { + "stepId": "fetch_industries_statistics", + "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project company_guid_PlaceHolder = tostring(res['guid']), company_name_PlaceHolder = tostring(res['name'])" + } + ] + }, + "stepCollectorConfigs": { + "fetch_industries_statistics": { + "shouldJoinNestedData": false, + "request": { + "apiEndpoint": "[[concat(parameters('bitSightApiUrl'), '/ratings/v1/companies/$company_guid_PlaceHolder$/industries/statistics')]", + "httpMethod": "GET", + "queryWindowInMin": 1440, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json", + "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" + } + }, + "response": { + "eventsJsonPaths": [ + "$.risk_vectors.*" + ], + "format": "json" + } + } + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitsightIndustrialStatistics", + "dcrConfig": { + "streamName": "Custom-BitsightIndustrialStatistics_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "company_guid": "$company_guid_PlaceHolder$", + "company_name": "$company_name_PlaceHolder$", + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'IndustriesStatistics')]" + }, + { + "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','BitsightVulnerabilitiesFindingsSummary' , uniqueString(parameters('connectionName')) )]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "auth": { + "type": "Basic", + "UserName": "[[parameters('username')]", + "Password": "[[parameters('password')]" + }, + "request": { + "apiEndpoint": "https://service.bitsighttech.com/customer-api/v1/defaults/vulnerabilities", + "httpMethod": "GET", + "rateLimitQPS": 1, + "paginatedCallsPerSecond": 1.0, + "queryWindowInMin": 1440, + "queryWindowDelayInMin": 60, + "retryCount": 3, + "timeoutInSeconds": 30, + "headers": { + "Accept": "application/json" + }, + "queryParameters": { + "fields": "name,display_name,description,severity" + } + }, + "response": { + "eventsJsonPaths": [ + "$[*]" + ], + "format": "json" + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSize": 500, + "pageSizeParameterName": "limit" + }, + "connectorDefinitionName": "BitSightStatisticsConnector", + "dataType": "BitsightVulnerabilitiesFindingsSummary", + "dcrConfig": { + "streamName": "Custom-BitsightVulnerabilitiesFindingsSummary_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "addOnAttributes": { + "connectionName": "[[parameters('connectionName')]", + "streams": "[[string(parameters('streams'))]" + } + }, + "condition": "[[contains(parameters('streams'), 'Vulnerabilities')]" + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections3'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.2.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "BitSight", + "publisherDisplayName": "BitSight Support", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The BitSight solution enables security operations teams to integrate insights from BitSight's Security Ratings platform into Microsoft Sentinel via the Codeless Connector Framework (CCF). The connector ingests Security Ratings, Company Profiles, Risk Vector breakdowns, Diligence Historical Statistics, Findings Summaries, Industry peer comparisons, and Vulnerability reference data for companies in your BitSight portfolio.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Framework (CCF)
    2. \n
\n

Data Connectors: 3, Parsers: 13, Workbooks: 1, Analytic Rules: 6

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "BitSight", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "BitSight Support", + "email": "support@bitsight.com", + "tier": "Partner", + "link": "https://www.bitsight.com/customer-success-support" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject2').parserContentId2]", + "version": "[variables('parserObject2').parserVersion2]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject3').parserContentId3]", + "version": "[variables('parserObject3').parserVersion3]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject4').parserContentId4]", + "version": "[variables('parserObject4').parserVersion4]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject6').parserContentId6]", + "version": "[variables('parserObject6').parserVersion6]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject7').parserContentId7]", + "version": "[variables('parserObject7').parserVersion7]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject8').parserContentId8]", + "version": "[variables('parserObject8').parserVersion8]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject9').parserContentId9]", + "version": "[variables('parserObject9').parserVersion9]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject10').parserContentId10]", + "version": "[variables('parserObject10').parserVersion10]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject11').parserContentId11]", + "version": "[variables('parserObject11').parserVersion11]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject12').parserContentId12]", + "version": "[variables('parserObject12').parserVersion12]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject13').parserContentId13]", + "version": "[variables('parserObject13').parserVersion13]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "version": "[variables('dataConnectorCCPVersion')]" + } + ] + }, + "firstPublishDate": "2023-02-20", + "lastPublishDate": "2024-02-20", + "providers": [ + "Bitsight" + ], + "categories": { + "domains": [ + "Security - Others" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/BitSight/ReleaseNotes.md b/Solutions/BitSight/ReleaseNotes.md index ce96cb6e882..f85801603ea 100644 --- a/Solutions/BitSight/ReleaseNotes.md +++ b/Solutions/BitSight/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.2.0 | 04-06-2026 | Replaced legacy Function App connector with two **Codeless Connector Framework (CCF)** connectors: **BitSight Security Events** (Alerts, Breaches, Findings) and **BitSight Security Statistics** (CompanyDetails, CompanyRatingDetails, DiligenceHistoricalStatistics, DiligenceStatistics, ObservationStatistics, IndustrialStatistics, VulnerabilitiesFindingsSummary, FindingsSummary). Added parsers for **BitSightCompanyRatingDetails** and **BitSightVulnerabilitiesFindingsSummary**. | +| 3.2.0 | 15-06-2026 | Replaced legacy Function App connector with two **Codeless Connector Framework (CCF)** connectors: **BitSight Security Events** (Alerts, Breaches, Findings) and **BitSight Security Statistics** (CompanyDetails, CompanyRatingDetails, DiligenceHistoricalStatistics, DiligenceStatistics, ObservationStatistics, IndustrialStatistics, VulnerabilitiesFindingsSummary, FindingsSummary). Added parsers for **BitSightCompanyRatingDetails** and **BitSightVulnerabilitiesFindingsSummary**. Updated Function App UI page for Log Ingestion API. | | 3.1.1 | 22-04-2026 | Updated **Solution Package** with the fix of solutionId | | 3.1.0 | 31-03-2026 | Updated the python runtime version to 3.12. Added support for Log Ingestion API and updated parsers accordingly.
Reverted the solution id to fix the BitSight Solution publishing issue. | | 3.0.2 | 26-07-2024 | Update **Analytic rules** for missing TTP |