![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sophos_logo.svg\"width=\"75px\"height=\"75px\"){kind=logo}
",
- "Description": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall) solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_SophosXGFirewall.json"
- ],
+ "Description": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall) solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Analytic Rules": [
"Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml",
"Analytic Rules/PortScanDetected.yaml"
@@ -21,6 +18,6 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Sophos XG Firewall",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/Sophos XG Firewall/Package/3.0.1.zip b/Solutions/Sophos XG Firewall/Package/3.0.1.zip
index f8389d7cdb3..fa9d69946fe 100644
Binary files a/Solutions/Sophos XG Firewall/Package/3.0.1.zip and b/Solutions/Sophos XG Firewall/Package/3.0.1.zip differ
diff --git a/Solutions/Sophos XG Firewall/Package/createUiDefinition.json b/Solutions/Sophos XG Firewall/Package/createUiDefinition.json
index 10936a4ef03..3080a9bdb05 100644
--- a/Solutions/Sophos XG Firewall/Package/createUiDefinition.json
+++ b/Solutions/Sophos XG Firewall/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sophos%20XG%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall) solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sophos%20XG%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall) solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Sophos XG Firewall. You can get Sophos XG Firewall Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Sophos XG Firewall/Package/mainTemplate.json b/Solutions/Sophos XG Firewall/Package/mainTemplate.json
index 8e1955f50b0..e32b17aa3e8 100644
--- a/Solutions/Sophos XG Firewall/Package/mainTemplate.json
+++ b/Solutions/Sophos XG Firewall/Package/mainTemplate.json
@@ -42,28 +42,19 @@
"_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-sophosxgfirewall",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "SophosXGFirewall",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "SophosXGFirewall",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.3",
+ "analyticRuleVersion1": "1.0.4",
"_analyticRulecontentId1": "3d645a88-2724-41a7-adea-db74c439cf79",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3d645a88-2724-41a7-adea-db74c439cf79')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3d645a88-2724-41a7-adea-db74c439cf79')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3d645a88-2724-41a7-adea-db74c439cf79','-', '1.0.3')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3d645a88-2724-41a7-adea-db74c439cf79','-', '1.0.4')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.3",
+ "analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "427e4c9e-8cf4-4094-a684-a2d060dbca38",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '427e4c9e-8cf4-4094-a684-a2d060dbca38')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('427e4c9e-8cf4-4094-a684-a2d060dbca38')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','427e4c9e-8cf4-4094-a684-a2d060dbca38','-', '1.0.3')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','427e4c9e-8cf4-4094-a684-a2d060dbca38','-', '1.0.4')))]"
},
"workbookVersion1": "1.0.0",
"workbookContentId1": "SophosXGFirewallWorkbook",
@@ -82,351 +73,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Sophos XG Firewall data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Sophos XG Firewall",
- "publisher": "Sophos",
- "descriptionMarkdown": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall.aspx) allows you to easily connect your Sophos XG Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Microsoft Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Sophos",
- "baseQuery": "SophosXGFirewall"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Denied Source IPs",
- "query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Src_IP \n| top 10 by count_"
- },
- {
- "description": "Top 10 Denied Destination IPs",
- "query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Dst_IP \n| top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (SophosXGFirewall)",
- "lastDataReceivedQuery": "SophosXGFirewall \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SophosXGFirewall \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "Sophos XG Firewall",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Sophos XG Firewall and load the function code or click [here](https://aka.ms/sentinel-SophosXG-parser), on the second line of the query, enter the hostname(s) of your Sophos XG Firewall device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "[Follow these instructions](https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the Sophos XG Firewall"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Sophos XG Firewall",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "SophosXGFirewall"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Sophos XG Firewall",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Sophos XG Firewall",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "SophosXGFirewall"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Sophos XG Firewall",
- "publisher": "Sophos",
- "descriptionMarkdown": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall.aspx) allows you to easily connect your Sophos XG Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Microsoft Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Sophos",
- "baseQuery": "SophosXGFirewall"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (SophosXGFirewall)",
- "lastDataReceivedQuery": "SophosXGFirewall \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SophosXGFirewall \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Denied Source IPs",
- "query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Src_IP \n| top 10 by count_"
- },
- {
- "description": "Top 10 Denied Destination IPs",
- "query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Dst_IP \n| top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "Sophos XG Firewall",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Sophos XG Firewall and load the function code or click [here](https://aka.ms/sentinel-SophosXG-parser), on the second line of the query, enter the hostname(s) of your Sophos XG Firewall device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "[Follow these instructions](https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the Sophos XG Firewall"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -464,16 +110,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "dataTypes": [
- "Syslog"
- ],
- "connectorId": "SophosXGFirewall"
- },
- {
+ "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ],
- "connectorId": "SyslogAma"
+ ]
}
],
"tactics": [
@@ -484,13 +124,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "Src_IP",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -573,16 +213,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "dataTypes": [
- "Syslog"
- ],
- "connectorId": "SophosXGFirewall"
- },
- {
+ "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ],
- "connectorId": "SyslogAma"
+ ]
}
],
"tactics": [
@@ -593,13 +227,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "Src_IP",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -876,7 +510,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Sophos XG Firewall",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Sophos XG Firewall solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Sophos XG Firewall solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024.. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Analytic Rules: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -899,11 +533,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/Sophos XG Firewall/ReleaseNotes.md b/Solutions/Sophos XG Firewall/ReleaseNotes.md index 0ac78aa6269..7dcc82d6b9a 100644 --- a/Solutions/Sophos XG Firewall/ReleaseNotes.md +++ b/Solutions/Sophos XG Firewall/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.1 | 19-11-2024 | Updated SophosXGFirewall.json **Workbook** to fix missing fields| -| 3.0.0 | 01-08-2024 | Update **Parser** as part of Syslog migration Deprecating **Data Connectors** | \ No newline at end of file +| 3.0.1 | 09-12-2024 | Rmoved Deprecated **Data Connector** + Updated SophosXGFirewall.json **Workbook** to fix missing fields | +| 3.0.0 | 01-08-2024 | Update **Parser** as part of Syslog migration Deprecating **Data Connectors** | \ No newline at end of file diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 56e502aa5cb..e3eca7b5709 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1460,7 +1460,7 @@ "Syslog" ], "dataConnectorsDependencies": [ - "SophosXGFirewall" + "SyslogAma" ], "previewImagesFileNames": [ "SophosXGFirewallWhite.png", @@ -2782,7 +2782,7 @@ "ThreatIntelligenceIndicator" ], "dataConnectorsDependencies": [ - "CiscoMeraki", + "CustomLogsAma", "CiscoMerakiNativePolling", "ThreatIntelligence" ], @@ -2997,7 +2997,7 @@ "ApacheHTTPServer_CL" ], "dataConnectorsDependencies": [ - "ApacheHTTPServer" + "CustomLogsAma" ], "previewImagesFileNames": [ "ApacheHTTPServerOverviewBlack01.png", @@ -3962,7 +3962,7 @@ "ZPA_CL" ], "dataConnectorsDependencies": [ - "ZscalerPrivateAccess" + "CustomLogsAma" ], "previewImagesFileNames": [ "ZscalerZPABlack.png", @@ -4552,7 +4552,7 @@ "Corelight", "AIVectraStream", "CheckPoint", - "CiscoMeraki", + "CustomLogsAma", "CefAma" ], "previewImagesFileNames": [], diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index c80bb84e4a3..ce0a57c605e 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1843,7 +1843,6 @@ "Syslog" ], "dataConnectorsDependencies": [ - "SophosXGFirewall", "SyslogAma" ], "previewImagesFileNames": [ @@ -3466,7 +3465,7 @@ "ThreatIntelligenceIndicator" ], "dataConnectorsDependencies": [ - "CiscoMeraki", + "CustomLogsAma", "CiscoMerakiNativePolling", "ThreatIntelligence" ], @@ -3750,7 +3749,7 @@ "ApacheHTTPServer_CL" ], "dataConnectorsDependencies": [ - "ApacheHTTPServer" + "CustomLogsAma" ], "previewImagesFileNames": [ "ApacheHTTPServerOverviewBlack01.png", @@ -4774,7 +4773,6 @@ "ZPA_CL" ], "dataConnectorsDependencies": [ - "ZscalerPrivateAccess", "CustomLogsAma" ], "previewImagesFileNames": [ @@ -5492,7 +5490,7 @@ "Corelight", "AIVectraStream", "CheckPoint", - "CiscoMeraki", + "CustomLogsAma", "CefAma" ], "previewImagesFileNames": [