Update README.md and main.bicepparam for clarity

README.md has been enhanced with new sections: "Description," "What It Provides," and "Custom Tables." The "Install" section now offers a detailed step-by-step guide, and "Resources Deployed" has been renamed to "This deployment will create" with a more detailed list. The main.bicepparam file now includes comments for better clarity, explaining the `datacollection` and `functionConfig` parameters.
FrodeHus · Dec 18, 2024 · ff58f15 · ff58f15
1 parent 9d2ba99
commit ff58f15
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -3,25 +3,53 @@
 [![Docker Image CI](https://github.com/FrodeHus/BeyondTrustConnector/actions/workflows/docker-image.yml/badge.svg)](https://github.com/FrodeHus/BeyondTrustConnector/actions/workflows/docker-image.yml)
 [![.NET](https://github.com/FrodeHus/BeyondTrustConnector/actions/workflows/dotnet.yml/badge.svg)](https://github.com/FrodeHus/BeyondTrustConnector/actions/workflows/dotnet.yml)
 
+## Description
+
+This repository contains a function app running as a [container](https://hub.docker.com/r/frodehus/beyondtrustconnector) that pulls data from the [BeyondTrust API](https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/api/reporting/index.htm) and uploads it to Azure Sentinel using data collector ingestion endpoints. It also includes deployment templates for creating all necessary resources.
+
 Uses function app to pull reports from BeyondTrust API and push to a Azure Log Analytics Workspace.
 
 Requires:
 - BeyondTrust API enabled
-- BeyondTrust API credentials (added to KeyVault as `BeyondTrustAPI`)
+- BeyondTrust API credentials
 
 ## Install
 
 Pre-requisites:
 - Existing Log Analytics Workspace
 - Key Vault with BeyondTrust API credentials secret
 
-Update `main.bicepparam` to match your environment and run: `az deployment group create --resource-group <group-name> --template-file main.bicep --parameters main.bicepparam`
+1. Update `main.bicepparam` to match your environment.
+2. Run the following command to deploy the resources:
+   ```sh
+   az deployment group create --resource-group <group-name> --template-file main.bicep --parameters main.bicepparam
+   ```
+
+## Resources Deployed
 
-This will deploy:
+This deployment will create:
 - Data Collection Endpoint
 - Data Collection Rules
-- Custom tables for LAW
+- Custom tables for Azure Log Analytics Workspace (LAW)
 - ASIM parsers
 - Azure Function App
-  - Managed identity with role assignments to read keyvault secrets and query workspace
-
+  - Managed identity with role assignments to read Key Vault secrets and query the workspace
+
+### Custom Tables
+
+The deployment creates the following custom tables in Azure Log Analytics Workspace:
+
+- **BeyondTrustAccessSession_CL**: Stores session data from BeyondTrust, including session details, timestamps, and participants. This allows for analysis of session activities and user interactions.
+
+- **BeyondTrustEvents_CL**: Contains audit and authentication logs capturing events such as logins, logouts, and configuration changes. Useful for compliance reporting and monitoring security-related events.
+
+- **BeyondTrustVaultActivity_CL**: Holds information about password vault actvitity such as create/update/usage of passwords.
+
+These custom tables provide valuable insights by enabling advanced querying and analytics within Azure Sentinel, helping to detect anomalies and potential security threats based on the data collected from BeyondTrust.
+
+## What It Provides
+
+- Automated data collection from BeyondTrust API
+- Integration with Azure Sentinel for advanced threat detection and response
+- Customizable deployment to fit your specific environment
+
diff --git a/main.bicepparam b/main.bicepparam
@@ -1,14 +1,19 @@
 using './main.bicep'
+
+// Specify your BeyondTrust tenant name
 param beyondTrustTenant = 'mytenant'
-param datacollection  = {
-  ruleName: 'dcr-beyondtrust'
-  endpointName: 'bt-endpoint'
-  workspaceName: 'LAW-BeyondTrust'
+
+// Data collection configuration
+param datacollection = {
+  ruleName: 'dcr-beyondtrust'       // Name of the Data Collection Rule
+  endpointName: 'bt-endpoint'       // Name of the Data Collection Endpoint
+  workspaceName: 'LAW-BeyondTrust'  // Name of the Log Analytics Workspace
 }
 
+// Azure Function App configuration
 param functionConfig = {
-  name: 'func-btconnect'
-  keyvaultName: 'btvault'
-  keyvaultSecretName: 'BeyondTrustAPI'
-  container: 'frodehus/beyondtrustconnector:latest'
+  name: 'func-btconnect'                                // Name of the Function App
+  keyvaultName: 'btvault'                               // Name of the Key Vault containing the API credentials
+  keyvaultSecretName: 'BeyondTrustAPI'                  // Name of the secret in Key Vault with BeyondTrust API credentials
+  container: 'frodehus/beyondtrustconnector:latest'     // Docker image for the Function App
 }