![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ArubaClearPass.svg\"){kind=spacer}
",
"Description": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json",
- "Solutions/Aruba ClearPass/Data Connectors/template_ArubaClearPassAMA.json"
- ],
"Parsers": [
"Solutions/Aruba ClearPass/Parsers/ArubaClearPass.yaml"
],
@@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
- "Version": "3.0.1",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Aruba ClearPass/Package/3.0.3.zip b/Solutions/Aruba ClearPass/Package/3.0.3.zip
new file mode 100644
index 00000000000..1227c21231c
Binary files /dev/null and b/Solutions/Aruba ClearPass/Package/3.0.3.zip differ
diff --git a/Solutions/Aruba ClearPass/Package/createUiDefinition.json b/Solutions/Aruba ClearPass/Package/createUiDefinition.json
index dcc50bb28da..e9aa46783ff 100644
--- a/Solutions/Aruba ClearPass/Package/createUiDefinition.json
+++ b/Solutions/Aruba ClearPass/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Aruba%20ClearPass/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Aruba%20ClearPass/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Aruba ClearPass. You can get Aruba ClearPass CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/Aruba ClearPass/Package/mainTemplate.json b/Solutions/Aruba ClearPass/Package/mainTemplate.json
index 5c9917dc07c..2baa6a4591d 100644
--- a/Solutions/Aruba ClearPass/Package/mainTemplate.json
+++ b/Solutions/Aruba ClearPass/Package/mainTemplate.json
@@ -31,27 +31,9 @@
},
"variables": {
"_solutionName": "Aruba ClearPass",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-arubaclearpass",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "ArubaClearPass",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "ArubaClearPass",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "ArubaClearPassAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "ArubaClearPassAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','ArubaClearPass')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ArubaClearPass')]",
@@ -62,684 +44,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Aruba ClearPass data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Aruba ClearPass via Legacy Agent",
- "publisher": "Aruba Networks",
- "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ArubaClearPass",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\""
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Events by Username",
- "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
- },
- {
- "description": "Top 10 Error Codes",
- "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ArubaClearPass)",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "2. Forward Aruba ClearPass logs to a Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Aruba ClearPass",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Aruba Networks"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Aruba ClearPass via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Aruba ClearPass",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Aruba Networks"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Aruba ClearPass via Legacy Agent",
- "publisher": "Aruba Networks",
- "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ArubaClearPass",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ArubaClearPass)",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Events by Username",
- "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
- },
- {
- "description": "Top 10 Error Codes",
- "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "2. Forward Aruba ClearPass logs to a Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Aruba ClearPass data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Aruba ClearPass via AMA",
- "publisher": "Aruba Networks",
- "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ArubaClearPass",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Events by Username",
- "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
- },
- {
- "description": "Top 10 Error Codes",
- "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ArubaClearPass)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent",
- "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Aruba ClearPass",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Aruba Networks"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Aruba ClearPass via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Aruba ClearPass",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Aruba Networks"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Aruba ClearPass via AMA",
- "publisher": "Aruba Networks",
- "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ArubaClearPass",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ArubaClearPass)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Events by Username",
- "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
- },
- {
- "description": "Top 10 Error Codes",
- "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent",
- "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -749,7 +53,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ArubaClearPass Data Parser with template version 3.0.2",
+ "description": "ArubaClearPass Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -875,12 +179,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Aruba ClearPass",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Aruba ClearPass solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Aruba ClearPass solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -903,16 +207,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Aruba ClearPass/ReleaseNotes.md b/Solutions/Aruba ClearPass/ReleaseNotes.md index e4f3a9e93bb..5db4a4c9d07 100644 --- a/Solutions/Aruba ClearPass/ReleaseNotes.md +++ b/Solutions/Aruba ClearPass/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 13-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 08-07-2024 | Deprecating **Data Connector** | -| 3.0.1 | 26-09-2023 | Parser link update | +| 3.0.1 | 26-09-2023 | Parser link update | | 3.0.0 | 21-09-2023 | Addition of new Aruba ClearPass AMA **Data Connector** | \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml index 0d7127fbc55..645e31995a7 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml index ef0407f709c..6d033afb010 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml index 62609fa48d7..39547460627 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -39,5 +33,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml index 60660cb0c60..81d017cf500 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml index 206b19b5eb4..01e5368eb73 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml index 6e7d6531fae..308c1324431 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml index 74aede49b4f..4a4e025eaec 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml index 8a431c94708..31b6b3f0ee7 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -41,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml index ccf2a9ad3ba..46e73b082b8 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml index 00fdac34ef5..99fd6f8d62c 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml index 4cabfb98f17..3d1de333957 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json b/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json index 8989e1c0df4..618647955ec 100644 --- a/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json +++ b/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json @@ -31,10 +31,6 @@ "Parsers": [ "Parsers/CiscoSEGEvent.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_Cisco_SEG_CEF.json", - "Data Connectors/template_CiscoSEGAMA.json" - ], "Workbooks": [ "Workbooks/CiscoSEG.json" ], diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml index affa167f12d..d6926f6c51d 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for dropped mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml index 76877ba77b0..1b91f9bf996 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for dropped outgoing mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml index 17c1561866c..2c4c13d5667 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for mails with DKIM failure status.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml index 21973e5a8c5..702748f4afa 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for mails with DMARK failure status.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml index 3714e7e398b..b72e32e2c57 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for mails with SPF failure status.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml index 2dda211f041..7be0d49f304 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml @@ -4,12 +4,6 @@ description: | 'Query searches failed TLS incoming connections.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml index 80a6f5d1825..b4d66992035 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml @@ -4,12 +4,6 @@ description: | 'Query searches failed TLS outgoing connections.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml index c73fde8b77d..17bb2c836ac 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for connections with insecure protocol.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml index b2ec7d26a8d..97c4a48ba13 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for sources of spam mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml index 2ffe28e1b34..80918da63b7 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for top users receiving spam mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Package/3.0.4.zip b/Solutions/CiscoSEG/Package/3.0.4.zip new file mode 100644 index 00000000000..bab6c83b9ae Binary files /dev/null and b/Solutions/CiscoSEG/Package/3.0.4.zip differ diff --git a/Solutions/CiscoSEG/Package/createUiDefinition.json b/Solutions/CiscoSEG/Package/createUiDefinition.json index 3269d4d8e92..3e9fb919532 100644 --- a/Solutions/CiscoSEG/Package/createUiDefinition.json +++ b/Solutions/CiscoSEG/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\"){kind=logo}
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoSEG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) solution provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoSEG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) solution provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for CiscoSEG. You can get CiscoSEG CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -337,7 +306,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for dropped mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for dropped mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for dropped outgoing mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for dropped outgoing mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for mails with DKIM failure status. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for mails with DKIM failure status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for mails with DMARK failure status. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for mails with DMARK failure status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for mails with SPF failure status. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for mails with SPF failure status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches failed TLS incoming connections. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches failed TLS incoming connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches failed TLS outgoing connections. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches failed TLS outgoing connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for connections with insecure protocol. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for connections with insecure protocol. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for sources of spam mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for sources of spam mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -463,7 +432,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for top users receiving spam mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for top users receiving spam mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
diff --git a/Solutions/CiscoSEG/Package/mainTemplate.json b/Solutions/CiscoSEG/Package/mainTemplate.json
index 4fdd7082a10..60be5dfe577 100644
--- a/Solutions/CiscoSEG/Package/mainTemplate.json
+++ b/Solutions/CiscoSEG/Package/mainTemplate.json
@@ -41,85 +41,85 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "CiscoSEG",
- "_solutionVersion": "3.0.3",
+ "_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-ciscoseg",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "df5c34dd-e1e6-4e07-90b1-4309ebfe754c",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'df5c34dd-e1e6-4e07-90b1-4309ebfe754c')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('df5c34dd-e1e6-4e07-90b1-4309ebfe754c')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df5c34dd-e1e6-4e07-90b1-4309ebfe754c','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df5c34dd-e1e6-4e07-90b1-4309ebfe754c','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "236e872c-31d1-4b45-ac2a-fda3af465c97",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '236e872c-31d1-4b45-ac2a-fda3af465c97')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('236e872c-31d1-4b45-ac2a-fda3af465c97')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','236e872c-31d1-4b45-ac2a-fda3af465c97','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','236e872c-31d1-4b45-ac2a-fda3af465c97','-', '1.0.3')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.2",
+ "analyticRuleVersion3": "1.0.3",
"_analyticRulecontentId3": "1399a9a5-6200-411e-8c34-ca5658754cf7",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1399a9a5-6200-411e-8c34-ca5658754cf7')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1399a9a5-6200-411e-8c34-ca5658754cf7')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1399a9a5-6200-411e-8c34-ca5658754cf7','-', '1.0.2')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1399a9a5-6200-411e-8c34-ca5658754cf7','-', '1.0.3')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.2",
+ "analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "dfdb9a73-4335-4bb4-b29b-eb713bce61a6",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dfdb9a73-4335-4bb4-b29b-eb713bce61a6')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dfdb9a73-4335-4bb4-b29b-eb713bce61a6')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfdb9a73-4335-4bb4-b29b-eb713bce61a6','-', '1.0.2')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfdb9a73-4335-4bb4-b29b-eb713bce61a6','-', '1.0.3')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "53242559-95ea-4d4c-b003-107e8f06304b",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '53242559-95ea-4d4c-b003-107e8f06304b')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('53242559-95ea-4d4c-b003-107e8f06304b')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','53242559-95ea-4d4c-b003-107e8f06304b','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','53242559-95ea-4d4c-b003-107e8f06304b','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.2",
+ "analyticRuleVersion6": "1.0.3",
"_analyticRulecontentId6": "2e5158e1-9fc2-40ff-a909-c701a13a0405",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2e5158e1-9fc2-40ff-a909-c701a13a0405')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2e5158e1-9fc2-40ff-a909-c701a13a0405')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e5158e1-9fc2-40ff-a909-c701a13a0405','-', '1.0.2')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e5158e1-9fc2-40ff-a909-c701a13a0405','-', '1.0.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.2",
+ "analyticRuleVersion7": "1.0.3",
"_analyticRulecontentId7": "506291dd-8050-4c98-a92f-58e376080a0a",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '506291dd-8050-4c98-a92f-58e376080a0a')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('506291dd-8050-4c98-a92f-58e376080a0a')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','506291dd-8050-4c98-a92f-58e376080a0a','-', '1.0.2')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','506291dd-8050-4c98-a92f-58e376080a0a','-', '1.0.3')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.2",
+ "analyticRuleVersion8": "1.0.3",
"_analyticRulecontentId8": "ef0a253c-95b5-48e1-8ebc-dbeb073b9338",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ef0a253c-95b5-48e1-8ebc-dbeb073b9338')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ef0a253c-95b5-48e1-8ebc-dbeb073b9338')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ef0a253c-95b5-48e1-8ebc-dbeb073b9338','-', '1.0.2')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ef0a253c-95b5-48e1-8ebc-dbeb073b9338','-', '1.0.3')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.2",
+ "analyticRuleVersion9": "1.0.3",
"_analyticRulecontentId9": "9cb4a02d-3708-42ba-b33b-0fdd360ce4b6",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb4a02d-3708-42ba-b33b-0fdd360ce4b6')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb4a02d-3708-42ba-b33b-0fdd360ce4b6')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb4a02d-3708-42ba-b33b-0fdd360ce4b6','-', '1.0.2')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb4a02d-3708-42ba-b33b-0fdd360ce4b6','-', '1.0.3')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.2",
+ "analyticRuleVersion10": "1.0.3",
"_analyticRulecontentId10": "f8ba18c4-81e3-4db0-8f85-4989f2ed2ade",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f8ba18c4-81e3-4db0-8f85-4989f2ed2ade')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f8ba18c4-81e3-4db0-8f85-4989f2ed2ade')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f8ba18c4-81e3-4db0-8f85-4989f2ed2ade','-', '1.0.2')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f8ba18c4-81e3-4db0-8f85-4989f2ed2ade','-', '1.0.3')))]"
},
"analyticRuleObject11": {
- "analyticRuleVersion11": "1.0.2",
+ "analyticRuleVersion11": "1.0.3",
"_analyticRulecontentId11": "c66b8ced-8c76-415b-a0f3-08c7030a857d",
"analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c66b8ced-8c76-415b-a0f3-08c7030a857d')]",
"analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c66b8ced-8c76-415b-a0f3-08c7030a857d')))]",
- "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c66b8ced-8c76-415b-a0f3-08c7030a857d','-', '1.0.2')))]"
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c66b8ced-8c76-415b-a0f3-08c7030a857d','-', '1.0.3')))]"
},
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.0",
@@ -178,24 +178,6 @@
"parserVersion1": "1.0.0",
"parserContentId1": "CiscoSEGEvent-Parser"
},
- "uiConfigId1": "CiscoSEG",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "CiscoSEG",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "CiscoSEGAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "CiscoSEGAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "CiscoSEGWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -215,7 +197,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGDLPViolation_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGDLPViolation_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -242,18 +224,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -269,13 +239,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -331,7 +301,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGMaliciousAttachmentNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGMaliciousAttachmentNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -358,18 +328,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -385,13 +343,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -447,7 +405,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGMultipleLargeEmails_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGMultipleLargeEmails_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -474,18 +432,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -501,13 +447,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -563,7 +509,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGMultipleSuspiciousEmails_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGMultipleSuspiciousEmails_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -590,18 +536,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -617,13 +551,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -679,7 +613,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGPossibleOutbreak_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGPossibleOutbreak_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -706,18 +640,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -733,13 +655,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -795,7 +717,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGPotentialLinkToMalwareDownload_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGPotentialLinkToMalwareDownload_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -822,18 +744,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -849,13 +759,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -911,7 +821,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGSuspiciousLink_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGSuspiciousLink_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -938,18 +848,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -965,13 +863,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1027,7 +925,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGSuspiciousSenderDomain_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGSuspiciousSenderDomain_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1054,18 +952,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -1081,13 +967,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1143,7 +1029,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGUnclassifiedLink_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGUnclassifiedLink_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1170,18 +1056,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -1197,13 +1071,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1259,7 +1133,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGUnexpextedAttachment_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGUnexpextedAttachment_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -1286,18 +1160,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -1313,13 +1175,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1375,7 +1237,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGUnscannableAttachment_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CiscoSEGUnscannableAttachment_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -1402,18 +1264,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEG"
- },
- {
- "dataTypes": [
- "CiscoSEGEvent"
- ],
- "connectorId": "CiscoSEGAma"
- },
{
"dataTypes": [
"CommonSecurityLog"
@@ -1429,13 +1279,13 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1491,7 +1341,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGDroppedInMails_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGDroppedInMails_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1576,7 +1426,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGDroppedOutMails_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGDroppedOutMails_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1661,7 +1511,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGFailedDKIMFailure_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGFailedDKIMFailure_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1746,7 +1596,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGFailedDMARKFailure_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGFailedDMARKFailure_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -1831,7 +1681,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGFailedSPFFailure_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGFailedSPFFailure_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -1916,7 +1766,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGFailedTLSIn_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGFailedTLSIn_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -2001,7 +1851,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGFailedTLSOut_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGFailedTLSOut_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -2086,7 +1936,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGInsecureProtocol_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGInsecureProtocol_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -2171,7 +2021,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGSpamMails_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGSpamMails_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -2256,7 +2106,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGUsersReceivedSpam_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "CiscoSEGUsersReceivedSpam_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -2341,7 +2191,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGEvent Data Parser with template version 3.0.3",
+ "description": "CiscoSEGEvent Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -2464,678 +2314,6 @@
}
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CiscoSEG data connector with template version 3.0.3",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Cisco Secure Email Gateway via Legacy Agent",
- "publisher": "Cisco",
- "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CiscoSEG",
- "baseQuery": "CiscoSEGEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Senders",
- "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CiscoSEG)",
- "lastDataReceivedQuery": "CiscoSEGEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CiscoSEGEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoSEG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Cisco Secure Email Gateway via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoSEG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Cisco Secure Email Gateway via Legacy Agent",
- "publisher": "Cisco",
- "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CiscoSEG",
- "baseQuery": "CiscoSEGEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CiscoSEG)",
- "lastDataReceivedQuery": "CiscoSEGEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CiscoSEGEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Senders",
- "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CiscoSEG data connector with template version 3.0.3",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Cisco Secure Email Gateway via AMA",
- "publisher": "Cisco",
- "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CiscoSEG",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Senders",
- "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CiscoSEG)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "2Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoSEG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Cisco Secure Email Gateway via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoSEG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Cisco Secure Email Gateway via AMA",
- "publisher": "Cisco",
- "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CiscoSEG",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CiscoSEG)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Senders",
- "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "2Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -3145,7 +2323,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEG Workbook with template version 3.0.3",
+ "description": "CiscoSEG Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -3202,11 +2380,7 @@
"kind": "DataType"
},
{
- "contentId": "CiscoSEG",
- "kind": "DataConnector"
- },
- {
- "contentId": "CiscoSEGAma",
+ "contentId": "CefAma",
"kind": "DataConnector"
}
]
@@ -3233,12 +2407,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.3",
+ "version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CiscoSEG",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nParsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3372,16 +2546,6 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/CiscoSEG/ReleaseNotes.md b/Solutions/CiscoSEG/ReleaseNotes.md index f42f3649670..fb57a6e0dc4 100644 --- a/Solutions/CiscoSEG/ReleaseNotes.md +++ b/Solutions/CiscoSEG/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.4 | 14-11-2024 | Removed Deprecated **Data Connector** | | 3.0.3 | 08-07-2024 | Deprecated **Data Connector** | | 3.0.2 | 03-05-2024 | Repackaged for parser issue fix on reinstall | | 3.0.1 | 30-04-2024 | Updated the **Data Connector** to fix conectivity criteria query | diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml index e6f783f5f8b..7e547e14b1a 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml index fcdaea809e2..15563a7af98 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml index 2375d421a81..9720adb5f1c 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -33,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: UrlCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml index 0a4e583b3b3..720670bde50 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -48,5 +42,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml index a9e68ad7396..ccc31b3d9b0 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -37,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml index e1190923179..51793e8822c 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml index ba043f4baf4..213d8f95187 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -38,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml index 1ab43031a40..1ade51e3958 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml index 50300d50e41..6f438ccc076 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml index 66e29f85fd5..ee23f578fe6 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -37,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json index 4317f743ca3..05e5298b873 100644 --- a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json +++ b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\"){kind=logo}
",
"Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Data Connectors/TrendMicro_ApexOne.json",
- "Data Connectors/template_TrendMicro_ApexOneAMA.json"
- ],
"Parsers": [
"Parsers/TMApexOneEvent.yaml"
],
@@ -41,7 +37,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Apex One",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml
index 11dfd2adb27..63984fcf12b 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml
@@ -4,12 +4,6 @@ description: |
'Shows behavior monitoring actions taken for files.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml
index 691215e84d2..0e947a419cc 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml
@@ -4,12 +4,6 @@ description: |
'Shows behavior monitoring operations by users.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml
index 2e70ec9df21..a621188e72f 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml
@@ -4,12 +4,6 @@ description: |
'Shows behavior monitoring triggered policy by command line.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml
index 9c594156b93..f54950e7ced 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml
@@ -4,12 +4,6 @@ description: |
'Shows behavior monitoring event types.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml
index 021d74ebd03..55dc3da2cf8 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml
@@ -4,12 +4,6 @@ description: |
'Shows channel type.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
index a3e5cf19239..dba0850056a 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
@@ -4,12 +4,6 @@ description: |
'Shows data loss prevention action by IP address.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml
index dfb19b5b475..c486e0d2a57 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches rare application protocols by Ip address.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml
index a8c3de137b9..f5aee084a5b 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches spyware detection events.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml
index 49db2f36cbd..1e9b0e0d4b8 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches suspicious files events.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml
index 6047603dee4..d916e897deb 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml
@@ -4,12 +4,6 @@ description: |
'Query shows list of top sources with alerts.'
severity: Medium
requiredDataConnectors:
- - connectorId: TrendMicroApexOne
- dataTypes:
- - TMApexOneEvent
- - connectorId: TrendMicroApexOneAma
- dataTypes:
- - TMApexOneEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Trend Micro Apex One/Package/3.0.3.zip b/Solutions/Trend Micro Apex One/Package/3.0.3.zip
new file mode 100644
index 00000000000..ad2c3a0eaeb
Binary files /dev/null and b/Solutions/Trend Micro Apex One/Package/3.0.3.zip differ
diff --git a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
index c5a114e2d8c..713f8766814 100644
--- a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
+++ b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -323,7 +292,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Shows behavior monitoring actions taken for files. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -337,7 +306,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Shows behavior monitoring operations by users. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Shows behavior monitoring event types. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows channel type. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Shows channel type. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Shows data loss prevention action by IP address. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches rare application protocols by Ip address. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches spyware detection events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches suspicious files events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)"
+ "text": "Query shows list of top sources with alerts. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
index 427acb2f138..e70468cffdd 100644
--- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json
+++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
@@ -41,27 +41,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Trend Micro Apex One",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "TrendMicroApexOne",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "TrendMicroApexOne",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "TrendMicroApexOneAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "TrendMicroApexOneAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','Trend Micro Apex One Data Parser')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Trend Micro Apex One Data Parser')]",
@@ -77,74 +59,74 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "7a3193b8-67b7-11ec-90d6-0242ac120003",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a3193b8-67b7-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a3193b8-67b7-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a3193b8-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a3193b8-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "4d7199b2-67b8-11ec-90d6-0242ac120003",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d7199b2-67b8-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d7199b2-67b8-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d7199b2-67b8-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d7199b2-67b8-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.2",
+ "analyticRuleVersion3": "1.0.3",
"_analyticRulecontentId3": "4a9a5900-67b7-11ec-90d6-0242ac120003",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4a9a5900-67b7-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4a9a5900-67b7-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a9a5900-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a9a5900-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.3",
+ "analyticRuleVersion4": "1.0.4",
"_analyticRulecontentId4": "b463b952-67b8-11ec-90d6-0242ac120003",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b463b952-67b8-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b463b952-67b8-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b463b952-67b8-11ec-90d6-0242ac120003','-', '1.0.3')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b463b952-67b8-11ec-90d6-0242ac120003','-', '1.0.4')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "6303235a-ee70-42a4-b969-43e7b969b916",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6303235a-ee70-42a4-b969-43e7b969b916')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6303235a-ee70-42a4-b969-43e7b969b916')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6303235a-ee70-42a4-b969-43e7b969b916','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6303235a-ee70-42a4-b969-43e7b969b916','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.2",
+ "analyticRuleVersion6": "1.0.3",
"_analyticRulecontentId6": "cd94e078-67b7-11ec-90d6-0242ac120003",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd94e078-67b7-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd94e078-67b7-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd94e078-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd94e078-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.4",
+ "analyticRuleVersion7": "1.0.5",
"_analyticRulecontentId7": "e289d762-6cc2-11ec-90d6-0242ac120003",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e289d762-6cc2-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e289d762-6cc2-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e289d762-6cc2-11ec-90d6-0242ac120003','-', '1.0.4')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e289d762-6cc2-11ec-90d6-0242ac120003','-', '1.0.5')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.2",
+ "analyticRuleVersion8": "1.0.3",
"_analyticRulecontentId8": "1a87cd10-67b7-11ec-90d6-0242ac120003",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a87cd10-67b7-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a87cd10-67b7-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a87cd10-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a87cd10-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.2",
+ "analyticRuleVersion9": "1.0.3",
"_analyticRulecontentId9": "c92d9fe4-67b6-11ec-90d6-0242ac120003",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c92d9fe4-67b6-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c92d9fe4-67b6-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c92d9fe4-67b6-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c92d9fe4-67b6-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.2",
+ "analyticRuleVersion10": "1.0.3",
"_analyticRulecontentId10": "9e3dc038-67b7-11ec-90d6-0242ac120003",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9e3dc038-67b7-11ec-90d6-0242ac120003')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9e3dc038-67b7-11ec-90d6-0242ac120003')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9e3dc038-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9e3dc038-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]"
},
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.0",
@@ -199,682 +181,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Trend Micro Apex One data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Trend Micro Apex One via Legacy Agent",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroApexOne",
- "baseQuery": "TMApexOneEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroApexOne)",
- "lastDataReceivedQuery": "TMApexOneEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "TMApexOneEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using Trend Micro Apex Central 2019"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro Apex One",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Trend Micro Apex One via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro Apex One",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Trend Micro Apex One via Legacy Agent",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroApexOne",
- "baseQuery": "TMApexOneEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroApexOne)",
- "lastDataReceivedQuery": "TMApexOneEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "TMApexOneEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using Trend Micro Apex Central 2019"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Trend Micro Apex One data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Trend Micro Apex One via AMA",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroApexOne",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroApexOne)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
- "instructions": []
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
- "instructions": []
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro Apex One",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Trend Micro Apex One via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro Apex One",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Trend Micro Apex One via AMA",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroApexOne",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroApexOne)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
- "instructions": []
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
- "instructions": []
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -884,7 +190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneEvent Data Parser with template version 3.0.2",
+ "description": "TMApexOneEvent Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -1016,7 +322,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroApexOne Workbook with template version 3.0.2",
+ "description": "TrendMicroApexOne Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1073,11 +379,7 @@
"kind": "DataType"
},
{
- "contentId": "TrendMicroApexOne",
- "kind": "DataConnector"
- },
- {
- "contentId": "TrendMicroApexOneAma",
+ "contentId": "CefAma",
"kind": "DataConnector"
}
]
@@ -1108,7 +410,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1136,22 +438,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1165,8 +455,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -1174,8 +464,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -1233,7 +523,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1261,22 +551,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1290,8 +568,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -1299,8 +577,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -1358,7 +636,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1386,22 +664,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1416,8 +682,8 @@
"entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "UrlCustomEntity"
+ "columnName": "UrlCustomEntity",
+ "identifier": "Url"
}
]
}
@@ -1475,7 +741,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1503,22 +769,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1532,8 +786,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -1591,7 +845,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1619,22 +873,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1648,8 +890,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -1657,8 +899,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -1716,7 +958,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1744,22 +986,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1773,8 +1003,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -1832,7 +1062,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1860,22 +1090,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1890,8 +1108,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -1899,8 +1117,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -1958,7 +1176,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1986,22 +1204,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2015,8 +1221,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -2024,8 +1230,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -2083,7 +1289,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2111,22 +1317,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2140,8 +1334,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -2149,8 +1343,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -2208,7 +1402,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2236,22 +1430,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "TrendMicroApexOneAma",
- "dataTypes": [
- "TMApexOneEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2265,8 +1447,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
]
},
@@ -2274,8 +1456,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -2333,7 +1515,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2418,7 +1600,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2503,7 +1685,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2588,7 +1770,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -2673,7 +1855,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -2758,7 +1940,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -2843,7 +2025,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -2928,7 +2110,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -3013,7 +2195,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -3098,7 +2280,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -3179,12 +2361,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro Apex One",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nParsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3208,16 +2390,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md index dc60abb18ee..a459363351e 100644 --- a/Solutions/Trend Micro Apex One/ReleaseNotes.md +++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 13-12-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 12-07-2024 | Deprecated **Data Connector** | | 3.0.1 | 25-10-2023 | **Hunting Query** column corrected | -| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | | +| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 2f41145c5b5..a4e765cff53 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -2835,8 +2835,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "TrendMicroApexOne", - "TrendMicroApexOneAma" + "CefAma" ], "previewImagesFileNames": [ "TrendMicroApexOneBlack.png", @@ -3591,8 +3590,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CiscoSEG", - "CiscoSEGAma" + "CefAma" ], "previewImagesFileNames": [ "CiscoSEGBlack.png", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 13faefaf474..6bb23bf2bc5 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -3525,8 +3525,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "TrendMicroApexOne", - "TrendMicroApexOneAma", "CefAma" ], "previewImagesFileNames": [ @@ -3617,8 +3615,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoCDL", - "PaloAltoCDLAma", "CefAma" ], "previewImagesFileNames": [ @@ -4402,8 +4398,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CiscoSEG", - "CiscoSEGAma", "CefAma" ], "previewImagesFileNames": [