![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\"){kind=logo}
",
- "Description": "The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_Infoblox.json"
- ],
+ "Description": "The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/Infoblox-Workbook-V2.json"
],
@@ -44,7 +41,7 @@
"Workbooks/Watchlist/Sources_by_SourceType.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Infoblox NIOS",
- "Version": "3.0.3",
+ "Version": "3.0.4",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/Infoblox NIOS/Package/3.0.4.zip b/Solutions/Infoblox NIOS/Package/3.0.4.zip
new file mode 100644
index 00000000000..ea9276e0830
Binary files /dev/null and b/Solutions/Infoblox NIOS/Package/3.0.4.zip differ
diff --git a/Solutions/Infoblox NIOS/Package/createUiDefinition.json b/Solutions/Infoblox NIOS/Package/createUiDefinition.json
index a4496a5f5f6..6e0d7a7593b 100644
--- a/Solutions/Infoblox NIOS/Package/createUiDefinition.json
+++ b/Solutions/Infoblox NIOS/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20NIOS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 22, **Workbooks:** 1, **Analytic Rules:** 2, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20NIOS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 22, **Workbooks:** 1, **Analytic Rules:** 2, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Infoblox NIOS. You can get Infoblox NIOS Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Infoblox NIOS/Package/mainTemplate.json b/Solutions/Infoblox NIOS/Package/mainTemplate.json
index a8c6f8e2d40..67a1ba4294c 100644
--- a/Solutions/Infoblox NIOS/Package/mainTemplate.json
+++ b/Solutions/Infoblox NIOS/Package/mainTemplate.json
@@ -47,18 +47,9 @@
},
"variables": {
"_solutionName": "Infoblox NIOS",
- "_solutionVersion": "3.0.3",
+ "_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-infobloxnios",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "InfobloxNIOS",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "InfobloxNIOS",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"workbookVersion1": "1.1.0",
"workbookContentId1": "InfobloxNIOSWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -221,377 +212,24 @@
"parserContentId22": "Infoblox_dnszone-Parser"
},
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.4",
+ "analyticRuleVersion1": "1.0.5",
"_analyticRulecontentId1": "b8266f81-2715-41a6-9062-42486cbc9c73",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b8266f81-2715-41a6-9062-42486cbc9c73')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b8266f81-2715-41a6-9062-42486cbc9c73')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b8266f81-2715-41a6-9062-42486cbc9c73','-', '1.0.4')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b8266f81-2715-41a6-9062-42486cbc9c73','-', '1.0.5')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.4",
+ "analyticRuleVersion2": "1.0.5",
"_analyticRulecontentId2": "57e56fc9-417a-4f41-a579-5475aea7b8ce",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57e56fc9-417a-4f41-a579-5475aea7b8ce')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57e56fc9-417a-4f41-a579-5475aea7b8ce')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57e56fc9-417a-4f41-a579-5475aea7b8ce','-', '1.0.4')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57e56fc9-417a-4f41-a579-5475aea7b8ce','-', '1.0.5')))]"
},
"Sources_by_SourceType": "Sources_by_SourceType",
"_Sources_by_SourceType": "[variables('Sources_by_SourceType')]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Infoblox NIOS data connector with template version 3.0.3",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Infoblox NIOS",
- "publisher": "Infoblox",
- "descriptionMarkdown": "The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) connector allows you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "InfobloxNIOS",
- "baseQuery": "Infoblox"
- }
- ],
- "sampleQueries": [
- {
- "description": "Total Count by DHCP Request Message Types",
- "query": "union isfuzzy=true \n Infoblox_dhcpdiscover,Infoblox_dhcprequest,Infoblox_dhcpinform \n| summarize count() by Log_Type"
- },
- {
- "description": "Top 5 Source IP address",
- "query": "Infoblox_dnsclient \n | summarize count() by SrcIpAddr \n | top 10 by count_ desc"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (InfobloxNIOS)",
- "lastDataReceivedQuery": "Infoblox \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Infoblox \n | where TimeGenerated > ago(3d)\n |take 1 \n | project IsConnected = true"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "Infoblox NIOS",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Infoblox and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Parser/Infoblox.yaml), on the second line of the query, enter any unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "[Follow these instructions](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-slog-and-snmp-configuration-for-nios.pdf) to enable syslog forwarding of Infoblox NIOS Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the Infoblox NIOS"
- },
- {
- "description": "Update the watchlist 'Sources_by_Source' with the hostname(s) of your Infoblox device(s). Set SourceType to 'InfobloxNIOS' and Source to the value of 'Computer' seen in the logs seen in Syslog table.",
- "title": "4. Configure the Sentinel parser"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Infoblox NIOS",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Infoblox"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Infoblox NIOS",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Infoblox NIOS",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Infoblox"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Infoblox NIOS",
- "publisher": "Infoblox",
- "descriptionMarkdown": "The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) connector allows you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "InfobloxNIOS",
- "baseQuery": "Infoblox"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (InfobloxNIOS)",
- "lastDataReceivedQuery": "Infoblox \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Infoblox \n | where TimeGenerated > ago(3d)\n |take 1 \n | project IsConnected = true"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Total Count by DHCP Request Message Types",
- "query": "union isfuzzy=true \n Infoblox_dhcpdiscover,Infoblox_dhcprequest,Infoblox_dhcpinform \n| summarize count() by Log_Type"
- },
- {
- "description": "Top 5 Source IP address",
- "query": "Infoblox_dnsclient \n | summarize count() by SrcIpAddr \n | top 10 by count_ desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "Infoblox NIOS",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Infoblox and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Parser/Infoblox.yaml), on the second line of the query, enter any unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "[Follow these instructions](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-slog-and-snmp-configuration-for-nios.pdf) to enable syslog forwarding of Infoblox NIOS Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the Infoblox NIOS"
- },
- {
- "description": "Update the watchlist 'Sources_by_Source' with the hostname(s) of your Infoblox device(s). Set SourceType to 'InfobloxNIOS' and Source to the value of 'Computer' seen in the logs seen in Syslog table.",
- "title": "4. Configure the Sentinel parser"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -601,7 +239,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Workbook-V2 Workbook with template version 3.0.3",
+ "description": "Infoblox-Workbook-V2 Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -659,6 +297,10 @@
{
"contentId": "InfobloxNIOS",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "SyslogAma",
+ "kind": "DataConnector"
}
]
}
@@ -688,7 +330,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox Data Parser with template version 3.0.3",
+ "description": "Infoblox Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -818,7 +460,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_allotherdhcpdTypes Data Parser with template version 3.0.3",
+ "description": "Infoblox_allotherdhcpdTypes Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -948,7 +590,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_allotherdnsTypes Data Parser with template version 3.0.3",
+ "description": "Infoblox_allotherdnsTypes Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -1078,7 +720,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_allotherlogTypes Data Parser with template version 3.0.3",
+ "description": "Infoblox_allotherlogTypes Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -1208,7 +850,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcp_consolidated Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcp_consolidated Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject5').parserVersion5]",
@@ -1338,7 +980,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpack Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpack Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject6').parserVersion6]",
@@ -1468,7 +1110,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpadded Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpadded Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject7').parserVersion7]",
@@ -1598,7 +1240,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpbindupdate Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpbindupdate Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject8').parserVersion8]",
@@ -1728,7 +1370,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpdiscover Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpdiscover Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject9').parserVersion9]",
@@ -1858,7 +1500,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpexpire Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpexpire Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject10').parserVersion10]",
@@ -1988,7 +1630,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpinform Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpinform Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject11').parserVersion11]",
@@ -2118,7 +1760,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpoffer Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpoffer Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject12').parserVersion12]",
@@ -2248,7 +1890,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpoption Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpoption Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject13').parserVersion13]",
@@ -2378,7 +2020,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpother Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpother Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject14').parserVersion14]",
@@ -2508,7 +2150,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcprelease Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcprelease Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject15').parserVersion15]",
@@ -2638,7 +2280,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpremoved Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpremoved Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject16').parserVersion16]",
@@ -2768,7 +2410,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcprequest Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcprequest Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject17').parserVersion17]",
@@ -2898,7 +2540,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dhcpsession Data Parser with template version 3.0.3",
+ "description": "Infoblox_dhcpsession Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject18').parserVersion18]",
@@ -3028,7 +2670,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dns_consolidated Data Parser with template version 3.0.3",
+ "description": "Infoblox_dns_consolidated Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject19').parserVersion19]",
@@ -3158,7 +2800,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dnsclient Data Parser with template version 3.0.3",
+ "description": "Infoblox_dnsclient Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject20').parserVersion20]",
@@ -3288,7 +2930,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dnsgss Data Parser with template version 3.0.3",
+ "description": "Infoblox_dnsgss Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject21').parserVersion21]",
@@ -3418,7 +3060,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox_dnszone Data Parser with template version 3.0.3",
+ "description": "Infoblox_dnszone Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject22').parserVersion22]",
@@ -3548,7 +3190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExcessiveNXDOMAINDNSQueries_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "ExcessiveNXDOMAINDNSQueries_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -3576,16 +3218,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxNIOS",
- "dataTypes": [
- "Syslog"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -3599,8 +3235,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -3658,7 +3294,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialDHCPStarvationAttack_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "PotentialDHCPStarvationAttack_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -3686,16 +3322,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxNIOS",
- "dataTypes": [
- "Syslog"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -3708,8 +3338,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -3781,12 +3411,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.3",
+ "version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Infoblox NIOS",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Infoblox Network Identity Operating System (NIOS) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 22, Workbooks: 1, Analytic Rules: 2, Watchlists: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Infoblox Network Identity Operating System (NIOS) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 22, Workbooks: 1, Analytic Rules: 2, Watchlists: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3809,11 +3439,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -3942,7 +3567,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Sources_by_SourceType')]", - "version": "3.0.3" + "version": "3.0.4" }, { "kind": "Solution", diff --git a/Solutions/Infoblox NIOS/ReleaseNotes.md b/Solutions/Infoblox NIOS/ReleaseNotes.md index eacdfcfe4d0..62df246e894 100644 --- a/Solutions/Infoblox NIOS/ReleaseNotes.md +++ b/Solutions/Infoblox NIOS/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------| +| 3.0.4 | 17-12-2024 |Removed Deprecated **Data connectors** | | 3.0.3 | 01-08-2024 |Update **Parser** as part of Syslog migration | | | |Deprecating data connectors | | 3.0.2 | 16-08-2023 |Updated the solution to include a default value for watchlist1-id | diff --git a/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml b/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml index 3956fdfe7d5..d79ce62ccd4 100644 --- a/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml +++ b/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: SymantecEndpointProtection - dataTypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -50,5 +47,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml b/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml index 17ce73c99cf..b888829e594 100644 --- a/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml +++ b/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: SymantecEndpointProtection - dataTypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -39,5 +36,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json b/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json index 684b4d84602..f33ba41fc46 100644 --- a/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json +++ b/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json @@ -2,14 +2,11 @@ "Name": "Symantec Endpoint Protection", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/symantec_logo.svg\"){kind=logo}
",
- "Description": "The [Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) solution allows you to easily connect your SEP logs with Microsoft Sentinel.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) solution allows you to easily connect your SEP logs with Microsoft Sentinel.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Analytic Rules": [
"Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml",
"Analytic Rules/MalwareDetected.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_SymantecEndpointProtection.json"
- ],
"Workbooks": [
"Workbooks/SymantecEndpointProtection.json"
],
@@ -20,7 +17,7 @@
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec Endpoint Protection",
- "Version": "3.0.3",
+ "Version": "3.0.4",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/Symantec Endpoint Protection/Package/3.0.4.zip b/Solutions/Symantec Endpoint Protection/Package/3.0.4.zip
new file mode 100644
index 00000000000..a48e5226bd2
Binary files /dev/null and b/Solutions/Symantec Endpoint Protection/Package/3.0.4.zip differ
diff --git a/Solutions/Symantec Endpoint Protection/Package/createUiDefinition.json b/Solutions/Symantec Endpoint Protection/Package/createUiDefinition.json
index 05192775312..df67539a916 100644
--- a/Solutions/Symantec Endpoint Protection/Package/createUiDefinition.json
+++ b/Solutions/Symantec Endpoint Protection/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Symantec%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) solution allows you to easily connect your SEP logs with Microsoft Sentinel.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Symantec%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) solution allows you to easily connect your SEP logs with Microsoft Sentinel.\n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Symantec Endpoint Protection. You can get Symantec Endpoint Protection Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json b/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json
index a7ede6dd5f6..558c0d806f2 100644
--- a/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json
+++ b/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Symantec Endpoint Protection",
- "_solutionVersion": "3.0.3",
+ "_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-symantecendpointprotection",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@@ -58,15 +58,6 @@
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('072ee087-17e1-474d-b162-bbe38bcab9f9')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.2')))]"
},
- "uiConfigId1": "SymantecEndpointProtection",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "SymantecEndpointProtection",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "SymantecEndpointProtection",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -93,7 +84,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -121,16 +112,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SymantecEndpointProtection",
- "dataTypes": [
- "Syslog"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -146,31 +131,31 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
- ]
+ ],
+ "entityType": "Host"
}
]
}
@@ -226,7 +211,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -254,16 +239,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SymantecEndpointProtection",
- "dataTypes": [
- "Syslog"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -274,31 +253,31 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
- ]
+ ],
+ "entityType": "Host"
}
]
}
@@ -345,353 +324,6 @@
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Symantec Endpoint Protection data connector with template version 3.0.3",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Symantec Endpoint Protection",
- "publisher": "Broadcom",
- "descriptionMarkdown": "The [Broadcom Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) connector allows you to easily connect your SEP logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SymantecEndpointProtection",
- "baseQuery": "SymantecEndpointProtection"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Log Types ",
- "query": "SymantecEndpointProtection \n | summarize count() by LogType \n| top 10 by count_"
- },
- {
- "description": "Top 10 Users",
- "query": "SymantecEndpointProtection \n | summarize count() by UserName \n| top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (SymantecEndpointProtection)",
- "lastDataReceivedQuery": "SymantecEndpointProtection \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SymantecEndpointProtection \n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "Symantec Endpoint Protection (SEP)",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Symantec Endpoint Protection and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20Endpoint%20Protection/Parsers/SymantecEndpointProtection.yaml), on the second line of the query, enter the hostname(s) of your SymantecEndpointProtection device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "[Follow these instructions](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) to configure the Symantec Endpoint Protection to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the Symantec Endpoint Protection"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Symantec Endpoint Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Symantec Endpoint Protection",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Symantec Endpoint Protection",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Symantec Endpoint Protection",
- "publisher": "Broadcom",
- "descriptionMarkdown": "The [Broadcom Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) connector allows you to easily connect your SEP logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SymantecEndpointProtection",
- "baseQuery": "SymantecEndpointProtection"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (SymantecEndpointProtection)",
- "lastDataReceivedQuery": "SymantecEndpointProtection \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SymantecEndpointProtection \n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Log Types ",
- "query": "SymantecEndpointProtection \n | summarize count() by LogType \n| top 10 by count_"
- },
- {
- "description": "Top 10 Users",
- "query": "SymantecEndpointProtection \n | summarize count() by UserName \n| top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "Symantec Endpoint Protection (SEP)",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Symantec Endpoint Protection and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20Endpoint%20Protection/Parsers/SymantecEndpointProtection.yaml), on the second line of the query, enter the hostname(s) of your SymantecEndpointProtection device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "[Follow these instructions](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) to configure the Symantec Endpoint Protection to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the Symantec Endpoint Protection"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -701,7 +333,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SymantecEndpointProtection Workbook with template version 3.0.3",
+ "description": "SymantecEndpointProtection Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -760,6 +392,10 @@
{
"contentId": "SymantecEndpointProtection",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "SyslogAma",
+ "kind": "DataConnector"
}
]
}
@@ -789,7 +425,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SymantecEndpointProtection Data Parser with template version 3.0.3",
+ "description": "SymantecEndpointProtection Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -917,12 +553,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.3",
+ "version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Symantec Endpoint Protection",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Symantec Endpoint Protection (SEP) solution allows you to easily connect your SEP logs with Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Symantec Endpoint Protection (SEP) solution allows you to easily connect your SEP logs with Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Analytic Rules: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -956,11 +592,6 @@ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Symantec Endpoint Protection/ReleaseNotes.md b/Solutions/Symantec Endpoint Protection/ReleaseNotes.md index 518e2d98950..ba998b03dc8 100644 --- a/Solutions/Symantec Endpoint Protection/ReleaseNotes.md +++ b/Solutions/Symantec Endpoint Protection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.4 | 17-12-2024 | Removed Deprecated **Data connectors** | | 3.0.3 | 01-08-2024 |Update **Parser** as part of Syslog migration | | | |Deprecating data connectors | | 3.0.2 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index dd62f041d89..c3004e9d2f6 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1339,7 +1339,7 @@ "Syslog" ], "dataConnectorsDependencies": [ - "InfobloxNIOS" + "SyslogAma" ], "previewImagesFileNames": [ "InfobloxNIOSWhite.png", @@ -3706,7 +3706,7 @@ "SymantecEndpointProtection" ], "dataConnectorsDependencies": [ - "SymantecEndpointProtection" + "SyslogAma" ], "previewImagesFileNames": [ "SymantecEndpointProtectionBlack.png", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 38fce2435ea..71d86597007 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1686,7 +1686,6 @@ "Syslog" ], "dataConnectorsDependencies": [ - "InfobloxNIOS", "SyslogAma" ], "previewImagesFileNames": [ @@ -4502,7 +4501,6 @@ "SymantecEndpointProtection" ], "dataConnectorsDependencies": [ - "SymantecEndpointProtection", "SyslogAma" ], "previewImagesFileNames": [