Azure · v-atulyadav · Jul 17, 2024 · Jul 10, 2024 · Jul 11, 2024 · Jul 12, 2024
@@ -29,6 +29,7 @@
     "BloodHoundEnterprisePostureWorkbook",
     "UserWorkbook-alexdemichieli-github-update-1",
     "SalemDashboard",
-    "ZNAccessOrchestratorAudit"
+    "ZNAccessOrchestratorAudit",
+    "SyslogConnectorsOverviewWorkbook"
   ]
 }
@@ -0,0 +1,35 @@
+ProductName,ConnectorType
+PAN-OS,CEF
+Fortigate,CEF
+Blackberry CylancePROTECT,Syslog
+Cisco Application Centric Infrastructure ,Syslog
+Cisco Identity Services Engine,Syslog
+Cisco Stealthwatch,Syslog
+Cisco UCS,Syslog
+Cisco Web Security Appliance,Syslog
+Citrix ADC (former NetScaler),Syslog
+Digital Guardian Data Loss Prevention,Syslog
+Exabeam Advanced Analytics,Syslog
+Forescout,Syslog
+GitLab,Syslog
+Infoblox NIOS,Syslog
+ISC Bind,Syslog
+Ivanti Unified Endpoint Management,Syslog
+ uniper SRX,Syslog
+McAfee ePolicy Orchestrator (ePO),Syslog
+McAfee Network Security Platform,Syslog
+OpenVPN Server,Syslog
+Oracle Database Audit,Syslog
+Pulse Connect Secure,Syslog
+RSA SecurID (Authentication Manager),Syslog
+Sophos XG Firewall,Syslog
+Symantec Endpoint Protection,Syslog
+Symantec VIP,Syslog
+Syslog,Syslog
+Microsoft Sysmon For Linux,Syslog
+VMware ESXi,Syslog
+Symantec ProxySG,Syslog
+ESET PROTECT,Syslog
+Barracuda CloudGen Firewall,Syslog
+Nasuni Edge Appliance,Syslog
+WatchGuard Firebox,Syslog
@@ -8,7 +8,8 @@
     "Data Connectors/template_SyslogAma.json"
   ],
   "Workbooks": [
-    "Workbooks/LinuxMachines.json"
+    "Workbooks/LinuxMachines.json",
+    "Workbooks/SyslogConnectorsOverviewWorkbook.json"
   ],
   "Analytic Rules": [
     "Analytic Rules/FailedLogonAttempts_UnknownUser.yaml",
@@ -30,6 +31,10 @@
     "Hunting Queries/squid_malformed_requests.yaml",
     "Hunting Queries/squid_volume_anomalies.yaml"
   ],
+  "Parsers":[
+    "Workspace Functions/SyslogConnectorsOverallStatus.yaml",
+    "Workspace Functions/SyslogConnectorsEventVolumebyDeviceProduct.yaml"        
+  ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Syslog",
   "Version": "3.0.4",
   "Metadata": "SolutionMetadata.json",

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Syslog/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Syslog solution allows you to ingest events from applications or appliances that generate and can forward logs in the Syslog format to a Syslog Forwarder. The Agent for Linux is then able to forward these logs to the Log Analytics/Microsoft Sentinel workspace.\n\nInstalling this solution will deploy two data connectors,\n\r\n1. **Syslog via AMA** - This data connector helps in ingesting syslog messages into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-syslog). Microsoft recommends using this Data Connector.\n\r\n2. **Syslog via Legacy Agent** - This data connector helps in ingesting syslog messages into your Log Analytics Workspace using the legacy Log Analytics agent.\n\r\n<P>**NOTE**: After the solution is installed, Microsoft recommends configuring and leveraging the Syslog via AMA connector for log ingestion. Legacy connector uses the Log Analytics agent, which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.</p>\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Syslog/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Syslog solution allows you to ingest events from applications or appliances that generate and can forward logs in the Syslog format to a Syslog Forwarder. The Agent for Linux is then able to forward these logs to the Log Analytics/Microsoft Sentinel workspace.\n\nInstalling this solution will deploy two data connectors,\n\r\n1. **Syslog via AMA** - This data connector helps in ingesting syslog messages into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-syslog). Microsoft recommends using this Data Connector.\n\r\n2. **Syslog via Legacy Agent** - This data connector helps in ingesting syslog messages into your Log Analytics Workspace using the legacy Log Analytics agent.\n\r\n<P>**NOTE**: After the solution is installed, Microsoft recommends configuring and leveraging the Syslog via AMA connector for log ingestion. Legacy connector uses the Log Analytics agent, which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.</p>\n\n**Data Connectors:** 2, **Parsers:** 2, **Workbooks:** 2, **Analytic Rules:** 7, **Hunting Queries:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -70,6 +70,13 @@
               "text": "This Solution installs the data connector for Syslog. You can get Syslog Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
+          {
+            "name": "dataconnectors-parser-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+            }
+          },
           {
             "name": "dataconnectors-link2",
             "type": "Microsoft.Common.TextBlock",
@@ -121,6 +128,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "workbook2",
+            "type": "Microsoft.Common.Section",
+            "label": "Syslog Connectors Overview Workbook",
+            "elements": [
+              {
+                "name": "workbook2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This Workbook gives an overview of ingestion of logs into Syslog table via Syslog based dataconnectors such as AMA agent"
+                }
+              }
+            ]
           }
         ]
       },
@@ -159,7 +180,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15."
+                  "text": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15."
                 }
               }
             ]
@@ -187,7 +208,7 @@
                 "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/"
+                  "text": "Checks for Squid proxy events in Syslog associated with common mining pools. This query presumes the default Squid log format is being used.\n http://www.squid-cache.org/Doc/config/access_log/"
                 }
               }
             ]
@@ -215,7 +236,7 @@
                 "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that\n value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally,\n if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.\n As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in \n the entity mapping within Sentinel."
+                  "text": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.\n As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in the entity mapping within Sentinel."
                 }
               }
             ]
@@ -229,7 +250,7 @@
                 "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies SFTP File Transfers above certain threshold in a 15min time period. It requires SFTP VERBOSE loglevel to be enabled.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that\n value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally,\n if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur."
+                  "text": "Identifies SFTP File Transfers above certain threshold in a 15min time period. It requires SFTP VERBOSE loglevel to be enabled.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur."
                 }
               }
             ]
@@ -243,7 +264,7 @@
                 "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies SFTP File Transfers with distinct folder count above certain threshold in a 15min time period.\n It requires SFTP VERBOSE loglevel to be enabled.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that\n value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally,\n if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur."
+                  "text": "Identifies SFTP File Transfers with distinct folder count above certain threshold in a 15min time period.\n It requires SFTP VERBOSE loglevel to be enabled.\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur."
                 }
               }
             ]