New Darktrace CCF integration

[dylan-o-sullivan]

Required items, please complete

Change(s):

• New CCF directory inside solution
• Connector definition
• DCR json
• dataConnector json
• New custom tables

Reason for Change(s):

• Deprecation of old data collector api

Version Updated:

• Required only for Detections/Analytic Rule templates
• See guidance below

Testing Completed:

• See guidance below

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

[v-maheshbh]

Hi @dylan-o-sullivan

Kindly refer to the below-mentioned solution for the correct folder structure and update the necessary changes.

https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF

Thanks!

[dylan-o-sullivan]

Hi @dylan-o-sullivan

Kindly refer to the below-mentioned solution for the correct folder structure and update the necessary changes.

https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF

Thanks!

Hi @v-maheshbh,

I have been copying the structure and file types inside the Jamf Protect solution, not sure what difference there is and this new Darktrace solution will be built ontop of the old one, as both will need to exist while the user migrates

Thanks

Dylan

[v-maheshbh]

Hi @dylan-o-sullivan
Kindly refer to the below-mentioned solution for the correct folder structure and update the necessary changes.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF
Thanks!

Hi @v-maheshbh,

I have been copying the structure and file types inside the Jamf Protect solution, not sure what difference there is and this new Darktrace solution will be built ontop of the old one, as both will need to exist while the user migrates

Thanks

Dylan

Hi @dylan-o-sullivan

For the CCF connector, please ensure that all file names follow the required naming convention:

SolutionName_PollerConfig
SolutionName_DCR
SolutionName_ConnectorDefinition
Table file

Additionally, the solution must contain the package folder with the zip file included and add release notes with version , date and description.

Kindly repackage the solution using the V3 tool: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

and Kindly attach the testing screenshot of the ccf connector in a Connected state. and accept CLA

Thanks!

[dylan-o-sullivan]

Hi @dylan-o-sullivan
Kindly refer to the below-mentioned solution for the correct folder structure and update the necessary changes.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF
Thanks!

Hi @v-maheshbh,
I have been copying the structure and file types inside the Jamf Protect solution, not sure what difference there is and this new Darktrace solution will be built ontop of the old one, as both will need to exist while the user migrates
Thanks
Dylan

Hi @dylan-o-sullivan

For the CCF connector, please ensure that all file names follow the required naming convention:

SolutionName_PollerConfig SolutionName_DCR SolutionName_ConnectorDefinition Table file

Additionally, the solution must contain the package folder with the zip file included and add release notes with version , date and description.

Kindly repackage the solution using the V3 tool: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

and Kindly attach the testing screenshot of the ccf connector in a Connected state. and accept CLA

Thanks!

Due to security requirements, will be difficult for me to get access to powershell, are you able to run the package for me? it has all been created and renamed like you have asked

Thanks!

Dylan

[dylan-o-sullivan]

Hey @v-maheshbh , are you able to package this up for me if all the files are present?

[dylan-o-sullivan]

Hey @v-maheshbh , are you able to package this up for me if all the files are present?

Hi @v-maheshbh, just a nudge on this

[v-maheshbh]

Hi @dylan-o-sullivan
Kindly accept the CLA so we can proceed with the PR review.

Thanks!

[dylan-o-sullivan]

@dylan-o-sullivan please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree [company="Darktrace"]

[dylan-o-sullivan]

Hi @dylan-o-sullivan Kindly accept the CLA so we can proceed with the PR review.

Thanks!

Sorted!

[dylan-o-sullivan]

@dylan-o-sullivan the command you issued was incorrect. Please try again.

Examples are:

@microsoft-github-policy-service agree

and

@microsoft-github-policy-service agree company="your company"

@microsoft-github-policy-service agree company="Darktrace"

[v-maheshbh]

Hi @dylan-o-sullivan

Kindly review the earlier comments and address them accordingly

Thanks!

[dylan-o-sullivan]

Hi @dylan-o-sullivan

Kindly review the earlier comments and address them accordingly

Thanks!

Sorry, dont see this comment anywhere or see what file it is referring to.

Do we need these poller configs? do we need one for every table?

Thanks,

Dylan

[v-maheshbh]

Hi @dylan-o-sullivan

Kindly package this solution using V3 tool and update release notes with latest version.

https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md.

Thanks!

[v-maheshbh]

Hi @dylan-o-sullivan

Kindly resolve the branch conflict.

Thanks!

[dylan-o-sullivan]

Hi @v-maheshbh

This PR should be ready to go now!

Thanks

[v-maheshbh]

Hi @dylan-o-sullivan

Kindly add both black‑and‑white preview images inside the Workbook PreviewImages folder, as they are currently missing from the solution. Please refer to any existing solution for the correct naming convention.

Thanks!

[dylan-o-sullivan]

Added the images @v-maheshbh

[v-maheshbh]

Hi @dylan-o-sullivan

Kindly resolve branch conflict to proceed further.

Thanks!

[dylan-o-sullivan]

@v-maheshbh Conflicts resolved

[v-maheshbh]

hi @dylan-o-sullivan
Kindly give me branch access.

Thanks!

[dylan-o-sullivan]

Hi @v-maheshbh

I can't give you access to our forked version, what changes are you wanting to make?

[dylan-o-sullivan]

Hi @v-maheshbh

Is there anything blocking this pull request?