![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/citrix-logo-circle-black.svg\"){kind=logo}
",
- "Description": "[Citrix Web App Firewall (WAF)](https://www.citrix.com/products/citrix-web-app-firewall/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel to enable you to take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE: **Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.",
+ "Description": "[Citrix Web App Firewall (WAF)](https://www.citrix.com/products/citrix-web-app-firewall/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel to enable you to take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE: **Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**",
"Workbooks": [
"Solutions/Citrix Web App Firewall/Workbooks/CitrixWAF.json"
],
- "Data Connectors": [
- "Solutions/Citrix Web App Firewall/Data Connectors/Citrix_WAF.json",
- "Solutions/Citrix Web App Firewall/Data Connectors/template_Citrix_WAFAMA.json"
- ],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\azure",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Citrix Web App Firewall/Package/3.0.2.zip b/Solutions/Citrix Web App Firewall/Package/3.0.2.zip
new file mode 100644
index 00000000000..318e187c83c
Binary files /dev/null and b/Solutions/Citrix Web App Firewall/Package/3.0.2.zip differ
diff --git a/Solutions/Citrix Web App Firewall/Package/createUiDefinition.json b/Solutions/Citrix Web App Firewall/Package/createUiDefinition.json
index eef3b5198da..9b82210be59 100644
--- a/Solutions/Citrix Web App Firewall/Package/createUiDefinition.json
+++ b/Solutions/Citrix Web App Firewall/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Citrix%20Web%20App%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Citrix Web App Firewall (WAF)](https://www.citrix.com/products/citrix-web-app-firewall/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel to enable you to take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE: **Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Citrix%20Web%20App%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Citrix Web App Firewall (WAF)](https://www.citrix.com/products/citrix-web-app-firewall/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel to enable you to take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE: **Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Citrix Web App Firewall. You can get Citrix Web App Firewall CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Citrix Web App Firewall/Package/mainTemplate.json b/Solutions/Citrix Web App Firewall/Package/mainTemplate.json
index 0271823248c..09d4d87c28a 100644
--- a/Solutions/Citrix Web App Firewall/Package/mainTemplate.json
+++ b/Solutions/Citrix Web App Firewall/Package/mainTemplate.json
@@ -39,7 +39,7 @@
},
"variables": {
"_solutionName": "Citrix Web App Firewall",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "citrix.citrix_waf_mss",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -49,24 +49,6 @@
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
- "uiConfigId1": "CitrixWAF",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "CitrixWAF",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "CitrixWAFAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "CitrixWAFAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -79,7 +61,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CitrixWAF Workbook with template version 3.0.1",
+ "description": "CitrixWAF Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -140,6 +122,10 @@
{
"contentId": "CitrixWAFAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -160,745 +146,17 @@
"version": "[variables('workbookVersion1')]"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Citrix Web App Firewall data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent",
- "publisher": "Citrix Systems Inc.",
- "descriptionMarkdown": " Citrix WAF (Web App Firewall) is an industry leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more. \n\nCitrix WAF supports Common Event Format (CEF) which is an industry standard format on top of Syslog messages . By connecting Citrix WAF CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CitrixWafLogs",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "Citrix WAF Logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n"
- },
- {
- "description": "Citrix Waf logs for cross site scripting",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_XSS\"\n"
- },
- {
- "description": "Citrix Waf logs for SQL Injection",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_SQL\"\n"
- },
- {
- "description": "Citrix Waf logs for Bufferoverflow",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_STARTURL\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CitrixWAFLogs)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Citrix WAF to send Syslog messages in CEF format to the proxy machine using the steps below. \n\n1. Follow [this guide](https://support.citrix.com/article/CTX234174) to configure WAF.\n\n2. Follow [this guide](https://support.citrix.com/article/CTX136146) to configure CEF logs.\n\n3. Follow [this guide](https://docs.citrix.com/en-us/citrix-adc/13/system/audit-logging/configuring-audit-logging.html) to forward the logs to proxy . Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.\n\n",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "7504f78d-1928-4399-a1ae-ba826c47c42d",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Citrix Systems"
- },
- "support": {
- "name": "Citrix Systems",
- "link": "https://www.citrix.com/support/",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Citrix Web App Firewall",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Citrix Systems"
- },
- "support": {
- "tier": "Partner",
- "name": "Citrix Systems",
- "link": "https://www.citrix.com/support/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Citrix Web App Firewall",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Citrix Systems"
- },
- "support": {
- "tier": "Partner",
- "name": "Citrix Systems",
- "link": "https://www.citrix.com/support/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent",
- "publisher": "Citrix Systems Inc.",
- "descriptionMarkdown": " Citrix WAF (Web App Firewall) is an industry leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more. \n\nCitrix WAF supports Common Event Format (CEF) which is an industry standard format on top of Syslog messages . By connecting Citrix WAF CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CitrixWafLogs",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CitrixWAFLogs)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Citrix WAF Logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n"
- },
- {
- "description": "Citrix Waf logs for cross site scripting",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_XSS\"\n"
- },
- {
- "description": "Citrix Waf logs for SQL Injection",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_SQL\"\n"
- },
- {
- "description": "Citrix Waf logs for Bufferoverflow",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_STARTURL\"\n"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Citrix WAF to send Syslog messages in CEF format to the proxy machine using the steps below. \n\n1. Follow [this guide](https://support.citrix.com/article/CTX234174) to configure WAF.\n\n2. Follow [this guide](https://support.citrix.com/article/CTX136146) to configure CEF logs.\n\n3. Follow [this guide](https://docs.citrix.com/en-us/citrix-adc/13/system/audit-logging/configuring-audit-logging.html) to forward the logs to proxy . Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.\n\n",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Citrix Web App Firewall data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Citrix WAF (Web App Firewall) via AMA",
- "publisher": "Citrix Systems Inc.",
- "descriptionMarkdown": " Citrix WAF (Web App Firewall) is an industry leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more. \n\nCitrix WAF supports Common Event Format (CEF) which is an industry standard format on top of Syslog messages . By connecting Citrix WAF CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CitrixWafLogs",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Citrix'\n |where DeviceProduct =~ 'NetScaler'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Citrix WAF Logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n"
- },
- {
- "description": "Citrix Waf logs for cross site scripting",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_XSS\"\n"
- },
- {
- "description": "Citrix Waf logs for SQL Injection",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_SQL\"\n"
- },
- {
- "description": "Citrix Waf logs for Bufferoverflow",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_STARTURL\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CitrixWAFLogs)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Citrix'\n |where DeviceProduct =~ 'NetScaler'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Citrix'\n |where DeviceProduct =~ 'NetScaler'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Configure Citrix WAF to send Syslog messages in CEF format to the proxy machine using the steps below. \n\n1. Follow [this guide](https://support.citrix.com/article/CTX234174) to configure WAF.\n\n2. Follow [this guide](https://support.citrix.com/article/CTX136146) to configure CEF logs.\n\n3. Follow [this guide](https://docs.citrix.com/en-us/citrix-adc/13/system/audit-logging/configuring-audit-logging.html) to forward the logs to proxy . Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.\n\n"
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "7504f78d-1928-4399-a1ae-ba826c47c42d",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Citrix Systems"
- },
- "support": {
- "name": "Citrix Systems",
- "link": "https://www.citrix.com/support/",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Citrix Web App Firewall",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Citrix Systems"
- },
- "support": {
- "tier": "Partner",
- "name": "Citrix Systems",
- "link": "https://www.citrix.com/support/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Citrix WAF (Web App Firewall) via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Citrix Web App Firewall",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Citrix Systems"
- },
- "support": {
- "tier": "Partner",
- "name": "Citrix Systems",
- "link": "https://www.citrix.com/support/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Citrix WAF (Web App Firewall) via AMA",
- "publisher": "Citrix Systems Inc.",
- "descriptionMarkdown": " Citrix WAF (Web App Firewall) is an industry leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more. \n\nCitrix WAF supports Common Event Format (CEF) which is an industry standard format on top of Syslog messages . By connecting Citrix WAF CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CitrixWafLogs",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Citrix'\n |where DeviceProduct =~ 'NetScaler'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CitrixWAFLogs)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Citrix'\n |where DeviceProduct =~ 'NetScaler'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Citrix'\n |where DeviceProduct =~ 'NetScaler'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Citrix WAF Logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n"
- },
- {
- "description": "Citrix Waf logs for cross site scripting",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_XSS\"\n"
- },
- {
- "description": "Citrix Waf logs for SQL Injection",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_SQL\"\n"
- },
- {
- "description": "Citrix Waf logs for Bufferoverflow",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Citrix\"\n| where DeviceProduct == \"NetScaler\"\n| where Activity == \"APPFW_STARTURL\"\n"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Configure Citrix WAF to send Syslog messages in CEF format to the proxy machine using the steps below. \n\n1. Follow [this guide](https://support.citrix.com/article/CTX234174) to configure WAF.\n\n2. Follow [this guide](https://support.citrix.com/article/CTX136146) to configure CEF logs.\n\n3. Follow [this guide](https://docs.citrix.com/en-us/citrix-adc/13/system/audit-logging/configuring-audit-logging.html) to forward the logs to proxy . Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.\n\n"
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Citrix Web App Firewall",
"publisherDisplayName": "Citrix Systems",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nCitrix Web App Firewall (WAF) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel to enable you to take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\n**NOTE: **Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nCitrix Web App Firewall (WAF) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel to enable you to take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\n**NOTE: **Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nWorkbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -925,16 +183,6 @@ "contentId": "[variables('_workbookContentId1')]", "version": "[variables('workbookVersion1')]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" diff --git a/Solutions/Citrix Web App Firewall/ReleaseNotes.md b/Solutions/Citrix Web App Firewall/ReleaseNotes.md index b129ba9b5ab..1614194e209 100644 --- a/Solutions/Citrix Web App Firewall/ReleaseNotes.md +++ b/Solutions/Citrix Web App Firewall/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.2 | 29-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.1 | 10-07-2024 | Deprecating data connectors. | | 3.0.0 | 08-09-2023 | Addition of new Citrix Web App Firewall AMA **Data Connector** | diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json index ea1e371598f..69cf06c120c 100644 --- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json +++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json @@ -2,11 +2,7 @@ "Name": "CyberArk Privilege Access Manager (PAM) Events", "Author": "Cyberark", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\"){kind=logo}
",
- "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
- "Data Connectors": [
- "Data Connectors/CyberArk Data Connector.json",
- "Data Connectors/template_CyberArkAMA.json"
- ],
+ "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Workbooks/CyberArkEPV.json"
],
@@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.3.zip b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.3.zip
new file mode 100644
index 00000000000..675fa597399
Binary files /dev/null and b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.3.zip differ
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
index b72b8ac13e9..e91e7e6a66e 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyberArk%20Enterprise%20Password%20Vault%20%28EPV%29%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyberArk%20Enterprise%20Password%20Vault%20%28EPV%29%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This solution installs the data connector for ingesting CyberArk Privilege Access Manager (PAM) Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
index 772220306ce..6f73534cc91 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
@@ -39,27 +39,9 @@
},
"variables": {
"_solutionName": "CyberArk Privilege Access Manager (PAM) Events",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "cyberark.cyberark_epv_events_mss",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "CyberArk",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "CyberArk",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "CyberArkAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "CyberArkAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.1.0",
"workbookContentId1": "CyberArkWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -70,688 +52,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CyberArk Privilege Access Manager (PAM) Events data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] CyberArk Privilege Access Manager (PAM) Events via Legacy Agent",
- "publisher": "Cyber-Ark",
- "descriptionMarkdown": "CyberArk Privilege Access Manager generates an xml Syslog message for every action taken against the Vault. The PAM will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm) for more guidance on SIEM integrations.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CyberArk",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\""
- }
- ],
- "sampleQueries": [
- {
- "description": "CyberArk Alerts",
- "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CyberArk)",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python installed on your machine.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "On the PAM configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python installed on your machine using the following command: python -version\n\n>\n\n> 2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Cyberark"
- },
- "support": {
- "name": "Cyberark",
- "link": "https://www.cyberark.com/customer-support/",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "CyberArk Privilege Access Manager (PAM) Events",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Cyberark"
- },
- "support": {
- "name": "Cyberark",
- "tier": "Partner",
- "link": "https://www.cyberark.com/services-support/technical-support/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "CyberArk Privilege Access Manager (PAM) Events",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Cyberark"
- },
- "support": {
- "name": "Cyberark",
- "tier": "Partner",
- "link": "https://www.cyberark.com/services-support/technical-support/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] CyberArk Privilege Access Manager (PAM) Events via Legacy Agent",
- "publisher": "Cyber-Ark",
- "descriptionMarkdown": "CyberArk Privilege Access Manager generates an xml Syslog message for every action taken against the Vault. The PAM will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm) for more guidance on SIEM integrations.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CyberArk",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CyberArk)",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "CyberArk Alerts",
- "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python installed on your machine.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "On the PAM configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python installed on your machine using the following command: python -version\n\n>\n\n> 2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CyberArk Privilege Access Manager (PAM) Events data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA",
- "publisher": "Cyber-Ark",
- "descriptionMarkdown": "CyberArk Privilege Access Manager generates an xml Syslog message for every action taken against the Vault. The PAM will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm) for more guidance on SIEM integrations.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CyberArk",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "CyberArk Alerts",
- "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CyberArk)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "On the PAM configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."
-
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Cyberark"
- },
- "support": {
- "name": "Cyberark",
- "link": "https://www.cyberark.com/customer-support/",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "CyberArk Privilege Access Manager (PAM) Events",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Cyberark"
- },
- "support": {
- "name": "Cyberark",
- "tier": "Partner",
- "link": "https://www.cyberark.com/services-support/technical-support/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "CyberArk Privilege Access Manager (PAM) Events",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Cyberark"
- },
- "support": {
- "name": "Cyberark",
- "tier": "Partner",
- "link": "https://www.cyberark.com/services-support/technical-support/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA",
- "publisher": "Cyber-Ark",
- "descriptionMarkdown": "CyberArk Privilege Access Manager generates an xml Syslog message for every action taken against the Vault. The PAM will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm) for more guidance on SIEM integrations.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CyberArk",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CyberArk)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "CyberArk Alerts",
- "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "On the PAM configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."
-
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -761,7 +61,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CyberArkEPV Workbook with template version 3.0.2",
+ "description": "CyberArkEPV Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -822,6 +122,10 @@
{
"contentId": "CyberArkAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -847,12 +151,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CyberArk Privilege Access Manager (PAM) Events",
"publisherDisplayName": "Cyberark",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nCyberArk Enterprise Password Vault Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the CyberArk documentation for more guidance on SIEM integrations.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nCyberArk Enterprise Password Vault Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the CyberArk documentation for more guidance on SIEM integrations.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nWorkbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -874,16 +178,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md index 757979adf70..9b48fb28e5d 100644 --- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md +++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------------------| -| 3.0.2 | 11-07-2024 | Deprecating data connectors | -| 3.0.1 | 06-03-2024 | Internal terminology changes | -| 3.0.0 | 21-09-2023 | Addition of new CyberArk Enterprise Password Vault (EPV) Events AMA **Data Connector** | \ No newline at end of file +| 3.0.3 | 29-11-2024 | Removed Deprecated **Data Connectors** | +| 3.0.2 | 11-07-2024 | Deprecating **data connectors** | +| 3.0.1 | 06-03-2024 | Internal terminology changes | +| 3.0.0 | 21-09-2023 | Addition of new CyberArk Enterprise Password Vault (EPV) Events AMA **Data Connector** | \ No newline at end of file diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml index 6a987f3a2d4..f87b75adf29 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml @@ -5,12 +5,6 @@ description: | severity: Informational status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -96,5 +90,5 @@ alertDetailsOverride: customDetails: AttackType: Activity AttackCategory: Category -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml index ffc032369f6..d205973e7c3 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml @@ -7,12 +7,6 @@ description: | severity: Informational status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -98,5 +92,5 @@ incidentConfiguration: matchingMethod: AllEntities customDetails: ScoreDecrease: score_decreases -version: 1.0.8 +version: 1.0.9 kind: Scheduled diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml index c429859045d..e3ce2891c9b 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml @@ -7,12 +7,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -116,5 +110,5 @@ incidentConfiguration: customDetails: AttackType: Activity AttackCategory: Category -version: 1.0.9 +version: 1.1.0 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml index df8dbc38638..4cfad1f6d8b 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml @@ -5,12 +5,6 @@ description: | severity: Informational status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -89,5 +83,5 @@ alertDetailsOverride: customDetails: AttackType: Activity AttackCategory: Category -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml index 5de9794b448..d940010f273 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml @@ -7,12 +7,6 @@ description: | severity: Informational status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -89,5 +83,5 @@ incidentConfiguration: matchingMethod: AllEntities customDetails: ScoreDecrease: score_decreases -version: 1.0.8 +version: 1.0.9 kind: Scheduled diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml index 9f56235bff0..de2032d7ddf 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -64,5 +58,5 @@ customDetails: CampaignName: Activity CampaignReason: reason CampaignSourceHost: SourceHostName -version: 1.2.0 +version: 1.2.3 kind: Scheduled diff --git a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml index ed8102c67c3..511e49a576f 100644 --- a/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml +++ b/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml @@ -6,12 +6,6 @@ description: | severity: Informational status: Available requiredDataConnectors: - - connectorId: AIVectraDetect - dataTypes: - - CommonSecurityLog - - connectorId: AIVectraDetectAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -102,5 +96,5 @@ alertDetailsOverride: customDetails: AttackType: Activity AttackCategory: Category -version: 1.1.0 +version: 1.1.1 kind: Scheduled diff --git a/Solutions/Vectra AI Detect/Data/Solution_Vectra AI Detect.json b/Solutions/Vectra AI Detect/Data/Solution_Vectra AI Detect.json index 86168021ded..82caecc95a9 100644 --- a/Solutions/Vectra AI Detect/Data/Solution_Vectra AI Detect.json +++ b/Solutions/Vectra AI Detect/Data/Solution_Vectra AI Detect.json @@ -2,11 +2,7 @@ "Name": "Vectra AI Detect", "Author": "Vectra AI", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\")
",
- "Description": "The [Vectra AI Detect](https://www.vectra.ai/products/platform%22%20/t%20%22_blank) solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\n\r This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Data Connectors/AIVectraDetect.json",
- "Data Connectors/template_AIVectraDetectAma.json"
- ],
+ "Description": "The [Vectra AI Detect](https://www.vectra.ai/products/platform%22%20/t%20%22_blank) solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\n\r This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**",
"Workbooks": [
"Workbooks/AIVectraDetectWorkbook.json"
],
@@ -23,7 +19,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vectra AI Detect",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Vectra AI Detect/Package/3.0.2.zip b/Solutions/Vectra AI Detect/Package/3.0.2.zip
new file mode 100644
index 00000000000..f618c206cc5
Binary files /dev/null and b/Solutions/Vectra AI Detect/Package/3.0.2.zip differ
diff --git a/Solutions/Vectra AI Detect/Package/createUiDefinition.json b/Solutions/Vectra AI Detect/Package/createUiDefinition.json
index bb309bfb74b..74014f15726 100644
--- a/Solutions/Vectra AI Detect/Package/createUiDefinition.json
+++ b/Solutions/Vectra AI Detect/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Detect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Detect](https://www.vectra.ai/products/platform%22%20/t%20%22_blank) solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\n\r This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Detect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Detect](https://www.vectra.ai/products/platform%22%20/t%20%22_blank) solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\n\r This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**\n\n**Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Vectra AI Detect. You can get Vectra AI Detect CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Vectra AI Detect/Package/mainTemplate.json b/Solutions/Vectra AI Detect/Package/mainTemplate.json
index 06228dec2ec..6c56bf8cf55 100644
--- a/Solutions/Vectra AI Detect/Package/mainTemplate.json
+++ b/Solutions/Vectra AI Detect/Package/mainTemplate.json
@@ -39,27 +39,9 @@
},
"variables": {
"_solutionName": "Vectra AI Detect",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "vectraaiinc.ai_vectra_detect_mss",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "AIVectraDetect",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "AIVectraDetect",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "AIVectraDetectAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "AIVectraDetectAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.1.1",
"workbookContentId1": "AIVectraDetectWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -68,787 +50,57 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.7",
+ "analyticRuleVersion1": "1.0.9",
"_analyticRulecontentId1": "321f9dbd-64b7-4541-81dc-08cf7732ccb0",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '321f9dbd-64b7-4541-81dc-08cf7732ccb0')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('321f9dbd-64b7-4541-81dc-08cf7732ccb0')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','321f9dbd-64b7-4541-81dc-08cf7732ccb0','-', '1.0.7')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','321f9dbd-64b7-4541-81dc-08cf7732ccb0','-', '1.0.9')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.3",
+ "analyticRuleVersion2": "1.0.5",
"_analyticRulecontentId2": "ce54b5d3-4c31-4eaf-a73e-31412270b6ab",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ce54b5d3-4c31-4eaf-a73e-31412270b6ab')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ce54b5d3-4c31-4eaf-a73e-31412270b6ab')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce54b5d3-4c31-4eaf-a73e-31412270b6ab','-', '1.0.3')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce54b5d3-4c31-4eaf-a73e-31412270b6ab','-', '1.0.5')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.8",
+ "analyticRuleVersion3": "1.1.0",
"_analyticRulecontentId3": "39e48890-2c02-487e-aa9e-3ba494061798",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39e48890-2c02-487e-aa9e-3ba494061798')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39e48890-2c02-487e-aa9e-3ba494061798')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39e48890-2c02-487e-aa9e-3ba494061798','-', '1.0.8')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39e48890-2c02-487e-aa9e-3ba494061798','-', '1.1.0')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.7",
+ "analyticRuleVersion4": "1.0.9",
"_analyticRulecontentId4": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60eb6cf0-3fa1-44c1-b1fe-220fbee23d63','-', '1.0.7')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60eb6cf0-3fa1-44c1-b1fe-220fbee23d63','-', '1.0.9')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.3",
+ "analyticRuleVersion5": "1.0.5",
"_analyticRulecontentId5": "33e3b6da-2660-4cd7-9032-11be76db88d2",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '33e3b6da-2660-4cd7-9032-11be76db88d2')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('33e3b6da-2660-4cd7-9032-11be76db88d2')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','33e3b6da-2660-4cd7-9032-11be76db88d2','-', '1.0.3')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','33e3b6da-2660-4cd7-9032-11be76db88d2','-', '1.0.5')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.1.8",
+ "analyticRuleVersion6": "1.2.3",
"_analyticRulecontentId6": "a34d0338-eda0-42b5-8b93-32aae0d7a501",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a34d0338-eda0-42b5-8b93-32aae0d7a501')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a34d0338-eda0-42b5-8b93-32aae0d7a501')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a34d0338-eda0-42b5-8b93-32aae0d7a501','-', '1.1.8')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a34d0338-eda0-42b5-8b93-32aae0d7a501','-', '1.2.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.9",
+ "analyticRuleVersion7": "1.1.1",
"_analyticRulecontentId7": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6cb75f65-231f-46c4-a0b3-50ff21ee6ed3')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6cb75f65-231f-46c4-a0b3-50ff21ee6ed3')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6cb75f65-231f-46c4-a0b3-50ff21ee6ed3','-', '1.0.9')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6cb75f65-231f-46c4-a0b3-50ff21ee6ed3','-', '1.1.1')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Vectra AI Detect data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Vectra AI Detect via Legacy Agent",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 over TCP, UDP or TLS.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI.",
- "title": "2. Forward AI Vectra Detect logs to Syslog agent in CEF format"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "2de7b355-5f0b-4eb1-a264-629314ef86e5",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "link": "https://www.vectra.ai/support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Vectra AI Detect via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Vectra AI Detect via Legacy Agent",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 over TCP, UDP or TLS.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI.",
- "title": "2. Forward AI Vectra Detect logs to Syslog agent in CEF format"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Vectra AI Detect data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Vectra AI Detect via AMA",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward AI Vectra Detect logs to Syslog agent in CEF format",
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "2de7b355-5f0b-4eb1-a264-629314ef86e5",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "link": "https://www.vectra.ai/support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Vectra AI Detect via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Vectra AI Detect via AMA",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward AI Vectra Detect logs to Syslog agent in CEF format",
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -858,7 +110,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AIVectraDetectWorkbook Workbook with template version 3.0.1",
+ "description": "AIVectraDetectWorkbook Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -949,7 +201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Account-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Account-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -977,22 +229,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1004,6 +244,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Account",
@@ -1028,34 +277,34 @@
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "The account {{saccount}} has a threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
"alertDisplayNameFormat": "Vectra AI Detect - Account {{saccount}} reaches {{level}} severity",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "The account {{saccount}} has a threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n"
+ "alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1109,7 +358,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Account-Detections_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Account-Detections_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1137,22 +386,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1164,6 +401,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Account",
@@ -1183,31 +429,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n",
"alertDisplayNameFormat": "Vectra AI - {{Activity}} Detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n"
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -1261,7 +507,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-HighSeverityDetection-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-HighSeverityDetection-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1289,22 +535,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1316,6 +550,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1344,40 +587,40 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
"alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}."
+ "alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1431,7 +674,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Host-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Host-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1459,22 +702,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1486,6 +717,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1506,34 +746,34 @@
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "The host {{SourceHostName}} has a Threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
"alertDisplayNameFormat": "Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "The host {{SourceHostName}} has a Threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n"
+ "alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1587,7 +827,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Host-Detections_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Host-Detections_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1615,22 +855,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1642,6 +870,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1657,31 +894,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n",
"alertDisplayNameFormat": "Vectra AI - {{Activity}} Detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n"
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -1735,7 +972,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-NewCampaign_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-NewCampaign_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1763,28 +1000,20 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
"LateralMovement",
"CommandAndControl"
],
+ "techniques": [
+ "T1021",
+ "T1071"
+ ],
"entityMappings": [
{
"entityType": "DNS",
@@ -1797,36 +1026,36 @@
}
],
"customDetails": {
- "CampaignSourceHost": "SourceHostName",
+ "CampaignName": "Activity",
"CampaignReason": "reason",
- "CampaignName": "Activity"
+ "CampaignSourceHost": "SourceHostName"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Vectra AI - New Campaign Detected",
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
}
],
- "alertDescriptionFormat": "A new campaign named {{Activity}} has been detected (reason is {{reason}})\n"
+ "alertDescriptionFormat": "A new campaign named {{Activity}} has been detected (reason is {{reason}})\n",
+ "alertDisplayNameFormat": "Vectra AI - New Campaign Detected"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1880,7 +1109,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Suspected-Behavior-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Suspected-Behavior-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1908,22 +1137,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1935,6 +1152,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1963,31 +1189,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
"alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}."
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -2037,12 +1263,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Vectra AI Detect",
"publisherDisplayName": "Vectra AI",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Vectra AI Detect solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Workbooks: 1, Analytic Rules: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Vectra AI Detect solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nWorkbooks: 1, Analytic Rules: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2065,16 +1291,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Vectra AI Detect/ReleaseNotes.md b/Solutions/Vectra AI Detect/ReleaseNotes.md index 427204b2206..8327b8e4df8 100644 --- a/Solutions/Vectra AI Detect/ReleaseNotes.md +++ b/Solutions/Vectra AI Detect/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------| -| 3.0.1 | 27-06-2024 | Deprecating data connectors | +| 3.0.2 | 02-12-2024 | Removed Deprecated **Data Connectors** | +| 3.0.1 | 27-06-2024 | Deprecating **Data Connectors** | | 3.0.0 | 16-02-2024 | Addition of new Vectra AI Detect AMA **Data Connector** | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index f47334bec0a..e954c66e7c5 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1215,8 +1215,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "AIVectraDetect", - "AIVectraDetectAma" + "CefAma" ], "previewImagesFileNames": [ "AIVectraDetectWhite1.png", @@ -1545,8 +1544,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CyberArk", - "CyberArkAma" + "CefAma" ], "previewImagesFileNames": [ "CyberArkActivitiesWhite.PNG", @@ -1584,8 +1582,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CitrixWAF", - "CitrixWAFAma" + "CefAma" ], "previewImagesFileNames": [ "CitrixWAFBlack.png", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 0cc38478933..5efaba51929 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1559,7 +1559,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "AIVectraDetect", "CefAma" ], "previewImagesFileNames": [ @@ -1944,8 +1943,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CyberArk", - "CyberArkAma", "CefAma" ], "previewImagesFileNames": [ @@ -1998,8 +1995,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CitrixWAF", - "CitrixWAFAma", "CefAma" ], "previewImagesFileNames": [