Azure
Feature/1password
Change(s):
- Added the following artifacts:
Alert Rules
- 1Password - Changes to firewall rules.yaml
- 1Password - Changes to SSO configuration.yaml
- 1Password - Disable MFA factor or type for all user accounts.yaml
- 1Password - Log Ingestion Failure.yaml
- 1Password - Manual account creation.yaml
- 1Password - New service account integration created.yaml
- 1Password - Non-privileged vault user permission change.yaml
- 1Password - Potential insider privilege escalation via group.yaml
- 1Password - Potential insider privilege escalation via vault.yaml
- 1Password - Privileged vault permission change.yaml
- 1Password - Secret extraction post vault access change by administrator.yaml
- 1Password - Service account integration token adjustment.yaml
- 1Password - Successful anomalous sign-in.yaml
- 1Password - User account MFA settings changed.yaml
- 1Password - User added to privileged group.yaml
- 1Password - Vault export post account creation.yaml
- 1Password - Vault export prior to account suspension or deletion.yaml
- 1Password - Vault export.yaml
Data Connector
-
1Password_API_FunctionApp.json
Workbooks
- 1Password.json
Reason for Change(s):
- New feature for Microsoft Sentinel Content Hub
Version Updated:
- Yes
Testing Completed:
- Yes
Checked that the validations are passing and have addressed any issues that are present:
- In Progress
Hello @azurekid, Thanks for raising this PR. This PR will be investigated and we will update you about the same before 23 February, 2024
Hi @azurekid looking forward to really digging into the latest work here :)
Hi @v-prasadboke @v-atulyadav
I have looked at the error in the pipeline and it seems something related to the pester test being executed.
Based on the errors, I have gone through the mainTemplate.json which is the file being created by the createSolutionV3.ps1 based on the yaml files in the pull request.
What I can see is that the test fails on either empty arrays : [] and boolean values.
These booleans are mandatory in the YAML files as they are part of the analytics rule configuration.
I have already did a shoutout on the Microsoft MVP community and CCP channels who could help me, but got not response yet.
This solution has been build with approval of 1Password and they really want to have their solution into the content hub as it is one of the most requested features from their customers.
Hello @azurekid,
- Please create a custom table named
OnePasswordEventLogs_CLat location.script/tests/KqlvalidationsTests/CustomTables - Add workbook metadata to this file
Workbooks/WorkbooksMetadata.json
Hi @v-prasadboke @v-atulyadav
I have looked at the error in the pipeline and it seems something related to the pester test being executed. Based on the errors, I have gone through the
mainTemplate.jsonwhich is the file being created by the createSolutionV3.ps1 based on the yaml files in the pull request.What I can see is that the test fails on either empty arrays
: []and boolean values. These booleans are mandatory in the YAML files as they are part of the analytics rule configuration.
I have already did a shoutout on the Microsoft MVP community and CCP channels who could help me, but got not response yet.
This solution has been build with approval of 1Password and they really want to have their solution into the content hub as it is one of the most requested features from their customers.
I'll remove it from my side @azurekid
Hi @v-prasadboke @v-atulyadav I have looked at the error in the pipeline and it seems something related to the pester test being executed. Based on the errors, I have gone through the
mainTemplate.jsonwhich is the file being created by the createSolutionV3.ps1 based on the yaml files in the pull request. What I can see is that the test fails on either empty arrays: []and boolean values. These booleans are mandatory in the YAML files as they are part of the analytics rule configuration.I have already did a shoutout on the Microsoft MVP community and CCP channels who could help me, but got not response yet. This solution has been build with approval of 1Password and they really want to have their solution into the content hub as it is one of the most requested features from their customers.
I'll remove it from my side @azurekid
Cool!,
Can you please let me know what you have updated when it's working so I can save you the work next time ;-) Always open to learn from others.
Hi @v-prasadboke @v-atulyadav I have looked at the error in the pipeline and it seems something related to the pester test being executed. Based on the errors, I have gone through the
mainTemplate.jsonwhich is the file being created by the createSolutionV3.ps1 based on the yaml files in the pull request. What I can see is that the test fails on either empty arrays: []and boolean values. These booleans are mandatory in the YAML files as they are part of the analytics rule configuration.I'll remove it from my side @azurekid
Cool!,
Can you please let me know what you have updated when it's working so I can save you the work next time ;-) Always open to learn from others.
You can remove the empty properties from maintemplate.
maintemplate
Yeah sure,
The only things is that with every new release we need to manually go through the mainTemplate.json and remove the empty array properties that have been added by the Microsoft Script.
Is this correct?
maintemplate
Yeah sure, The only things is that with every new release we need to manually go through the
mainTemplate.jsonand remove the empty array properties that have been added by the Microsoft Script.Is this correct?
yes, usually this doesnt happens. There must be some properties in your rules which have been kept empty. While repackaging arm ttk fails for the same (empty brackets) which needs to be removed from the maintemplate
Hi @v-prasadboke
I wanted to chime in here to introduce myself. I am a Solutions Architect from 1Password and have been working with @azurekid as he has been building this Solution.
I am wondering what the best way for me (on behalf of 1Password) to contribute to this PR so we can assist with the final polish and presentation without having to burden @azurekid with lots of little changes and enhancements?
We are excited to continue supporting this effort, and are immensely grateful to @azurekid for the huge amount of extremely high quality work he's done so far. We look forward to continuing and growing our involvement here to ensure that people have the best possible experience with this Solution from day one and beyond.
Hi @v-prasadboke
I wanted to chime in here to introduce myself. I am a Solutions Architect from 1Password and have been working with @azurekid as he has been building this Solution.
I am wondering what the best way for me (on behalf of 1Password) to contribute to this PR so we can assist with the final polish and presentation without having to burden @azurekid with lots of little changes and enhancements?
We are excited to continue supporting this effort, and are immensely grateful to @azurekid for the huge amount of extremely high quality work he's done so far. We look forward to continuing and growing our involvement here to ensure that people have the best possible experience with this Solution from day one and beyond.
Hello @scottisloud, We would get this PR merged early as possible. If needed I'll commit some necessity changes that loosen the burden on azurekid
Hi @v-prasadboke I wanted to chime in here to introduce myself. I am a Solutions Architect from 1Password and have been working with @azurekid as he has been building this Solution. I am wondering what the best way for me (on behalf of 1Password) to contribute to this PR so we can assist with the final polish and presentation without having to burden @azurekid with lots of little changes and enhancements? We are excited to continue supporting this effort, and are immensely grateful to @azurekid for the huge amount of extremely high quality work he's done so far. We look forward to continuing and growing our involvement here to ensure that people have the best possible experience with this Solution from day one and beyond.
Hello @scottisloud, We would get this PR merged early as possible. If needed I'll commit some necessity changes that loosen the burden on azurekid
Hi @v-prasadboke ah, okay. I think to keep things cleaner in this PR and prevent this from needing to be merged in it's in-progress state, I will work with @azurekid on a separate branch so he can bring any changes to this existing PR. We're coordinating that collaboration through a side-channel at the moment.
Thanks for your support here @v-prasadboke!
Looks like by fixing a typo I may have broken a reference somewhere, or I introduced a new typo that re-broke the pipeline. I'll see if I can track down the issues and document the fix here. If it's just a couple tweaks it may be easier for @azurekid to quickly make commit them directly here, otherwise I'll make the fix on a fork and get it merged here.
Looks like by fixing a typo I may have broken a reference somewhere, or I introduced a new typo that re-broke the pipeline. I'll see if I can track down the issues and document the fix here. If it's just a couple tweaks it may be easier for @azurekid to quickly make commit them directly here, otherwise I'll make the fix on a fork and get it merged here.
I will pick this up @scottisloud 👍
@v-prasadboke I have seemed to remove all issues, but it fails on a document link step. Can you please take a look at this, I am not able to find the locale link it is referring to.
Create a custom table at .script/tests/KqlvalidationsTests/CustomTables with name OnePasswordEventLogs_CL You can refer to other table from the folder for more clarification.
Also please do share sample data to test the content of the solution
Create a custom table at .script/tests/KqlvalidationsTests/CustomTables with name OnePasswordEventLogs_CL You can refer to other table from the folder for more clarification.
Also please do share sample data to test the content of the solution
done
Hello @azurekid, Thanks for committing the required changes. Looks like there are still validation failure. Will investigate this and comeback to you by 07 March, 2024
Hello @azurekid, Can you provide write access to your branch. Unable to pull and push commits
v-prasadboke
Hi, sorry for the delay as I was busy to arrange stuff for the MVP Summit. Just added your account as a contributor. Thanks for the support already ;-)
Hello @azurekid, working on KQL validation error. Will get back to you by 13 March, 2024
Hello @azurekid, we have one PR for OnePassword. Please check it once #9786
Hello @azurekid, we have one PR for OnePassword. Please check it once #9786
We appreciate that others are eager to develop their own integrations between 1Password and Sentinel.
However, speaking as a 1Password employee and the person who has worked directly with @azurekid, it is 1Password's view that this is the canonical 1Password Sentinel solution. As such, 1Password continues to be committed to the development of this solution, which we view (without making a formal or legal claim to this effect in this moment) as a collaboration between 1Password and @azurekid.
It is also our view that the exceptional work submitted by @azurekid provides a more complete end-to-end solution that is closely aligned with Microsoft's standards for Sentinel solutions, and 1Password's standards for integrations we present to our customers.
Thanks @scottisloud, Will discuss about these 2 PR's with the team. And I'll update you about the same.
Hi @v-prasadboke I just wanted to check in and see if there was anything I could do assist here. It looks like there are two things standing in the way of a merge:
- How Microsoft wants to handle the other existing PR
- The failed checks in the workflow.
If there's any way I can help move past either of these, please let me know.
Hi @v-prasadboke. I am wondering what 1Password (a current Microsoft Cloud Partner program member) can do to move this forward. Is there a reason this was reverted to a draft and has stalled out for 2 weeks?