![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\")
",
- "Description": "The JBoss Enterprise Application Platform data connector provides the capability to ingest [JBoss](https://www.redhat.com/en/technologies/jboss-middleware/application-platform) events into Microsoft Sentinel. Refer to [Red Hat documentation](https://access.redhat.com/documentation/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/logging_with_jboss_eap) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "JBoss/Data Connectors/Connector_JBoss.json"
- ],
+ "Description": "The JBoss Enterprise Application Platform data connector provides the capability to ingest [JBoss](https://www.redhat.com/en/technologies/jboss-middleware/application-platform) events into Microsoft Sentinel. Refer to [Red Hat documentation](https://access.redhat.com/documentation/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/logging_with_jboss_eap) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Parsers": [
"JBoss/Parsers/JBossEvent.yaml"
],
@@ -14,7 +11,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true,
"Is1Pconnector": false
}
\ No newline at end of file
diff --git a/Solutions/JBoss/Package/3.0.1.zip b/Solutions/JBoss/Package/3.0.1.zip
new file mode 100644
index 00000000000..b458fec003b
Binary files /dev/null and b/Solutions/JBoss/Package/3.0.1.zip differ
diff --git a/Solutions/JBoss/Package/createUiDefinition.json b/Solutions/JBoss/Package/createUiDefinition.json
index 6b3c08b6a58..75bf6fdf1db 100644
--- a/Solutions/JBoss/Package/createUiDefinition.json
+++ b/Solutions/JBoss/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/JBoss/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe JBoss Enterprise Application Platform data connector provides the capability to ingest [JBoss](https://www.redhat.com/en/technologies/jboss-middleware/application-platform) events into Microsoft Sentinel. Refer to [Red Hat documentation](https://access.redhat.com/documentation/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/logging_with_jboss_eap) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/JBoss/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe JBoss Enterprise Application Platform data connector provides the capability to ingest [JBoss](https://www.redhat.com/en/technologies/jboss-middleware/application-platform) events into Microsoft Sentinel. Refer to [Red Hat documentation](https://access.redhat.com/documentation/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/logging_with_jboss_eap) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for JBoss. You can get JBoss custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/JBoss/Package/mainTemplate.json b/Solutions/JBoss/Package/mainTemplate.json
index 9fa660e1c53..fc139dcc0b3 100644
--- a/Solutions/JBoss/Package/mainTemplate.json
+++ b/Solutions/JBoss/Package/mainTemplate.json
@@ -33,18 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "JBoss",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-jboss",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "JBossEAP",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "JBossEAP",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','JBossEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'JBossEvent')]",
@@ -55,437 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "JBoss data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] JBoss Enterprise Application Platform",
- "publisher": "Red Hat",
- "descriptionMarkdown": "The JBoss Enterprise Application Platform data connector provides the capability to ingest [JBoss](https://www.redhat.com/en/technologies/jboss-middleware/application-platform) events into Microsoft Sentinel. Refer to [Red Hat documentation](https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/logging_with_jboss_eap) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "JBossLogs_CL",
- "baseQuery": "JBossEvent"
- }
- ],
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**JBossEvent**](https://aka.ms/sentinel-jbosseap-parser) which is deployed with the Microsoft Sentinel Solution.",
- "sampleQueries": [
- {
- "description": "Top 10 Processes",
- "query": "JBossEvent\n | summarize count() by ActingProcessName \n | top 10 by count_"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "JBossEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "JBossLogs_CL",
- "lastDataReceivedQuery": "JBossEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 2,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**JBossEvent**](https://aka.ms/sentinel-jbosseap-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using JBoss Enterprise Application Platform 7.4.0."
- },
- {
- "description": "Install the agent on the JBoss server where the logs are generated.\n\n> Logs from JBoss Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.\n ",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Configure the custom log directory to be collected",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenCustomLogsSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Select the link above to open your workspace advanced settings \n2. Click **+Add custom**\n3. Click **Browse** to upload a sample of a JBoss log file (e.g. server.log). Then, click **Next >**\n4. Select **Timestamp** as the record delimiter and select Timestamp format **YYYY-MM-DD HH:MM:SS** from the dropdown list then click **Next >**\n5. Select **Windows** or **Linux** and enter the path to JBoss logs based on your configuration. Example:\n - **Linux** Directory:\n\n>Standalone server: EAP_HOME/standalone/log/server.log\n\n>Managed domain: EAP_HOME/domain/servers/SERVER_NAME/log/server.log\n\n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **JBossLogs** as the custom log Name and click **Done**"
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the JBossLogs_CL Custom log table.\n\n>**NOTE:** It may take up to 30 minutes before new logs will appear in JBossLogs_CL table.",
- "title": "3. Check logs in Microsoft Sentinel"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "JBoss",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] JBoss Enterprise Application Platform",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "JBoss",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] JBoss Enterprise Application Platform",
- "publisher": "Red Hat",
- "descriptionMarkdown": "The JBoss Enterprise Application Platform data connector provides the capability to ingest [JBoss](https://www.redhat.com/en/technologies/jboss-middleware/application-platform) events into Microsoft Sentinel. Refer to [Red Hat documentation](https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/logging_with_jboss_eap) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "JBossLogs_CL",
- "baseQuery": "JBossEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "JBossLogs_CL",
- "lastDataReceivedQuery": "JBossEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "JBossEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Processes",
- "query": "JBossEvent\n | summarize count() by ActingProcessName \n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 2,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**JBossEvent**](https://aka.ms/sentinel-jbosseap-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using JBoss Enterprise Application Platform 7.4.0."
- },
- {
- "description": "Install the agent on the JBoss server where the logs are generated.\n\n> Logs from JBoss Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.\n ",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Configure the custom log directory to be collected",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenCustomLogsSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Select the link above to open your workspace advanced settings \n2. Click **+Add custom**\n3. Click **Browse** to upload a sample of a JBoss log file (e.g. server.log). Then, click **Next >**\n4. Select **Timestamp** as the record delimiter and select Timestamp format **YYYY-MM-DD HH:MM:SS** from the dropdown list then click **Next >**\n5. Select **Windows** or **Linux** and enter the path to JBoss logs based on your configuration. Example:\n - **Linux** Directory:\n\n>Standalone server: EAP_HOME/standalone/log/server.log\n\n>Managed domain: EAP_HOME/domain/servers/SERVER_NAME/log/server.log\n\n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **JBossLogs** as the custom log Name and click **Done**"
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the JBossLogs_CL Custom log table.\n\n>**NOTE:** It may take up to 30 minutes before new logs will appear in JBossLogs_CL table.",
- "title": "3. Check logs in Microsoft Sentinel"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**JBossEvent**](https://aka.ms/sentinel-jbosseap-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -495,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "JBossEvent Data Parser with template version 3.0.0",
+ "description": "JBossEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -509,7 +69,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "JBossEvent",
+ "displayName": "Parser for JBossEvent",
"category": "Microsoft Sentinel Parser",
"functionAlias": "JBossEvent",
"query": "JBossLogs_CL\n| extend EventVendor = 'Red Hat'\n| extend EventProduct = 'JBoss Enterprise Application Platform'\n| extend EventCount = 1\n| extend EventSchemaVersion = 0.2\n| extend EventSeverity = extract(@'\\d{2},\\d{3}\\s(\\w+)\\s+\\[', 1, RawData)\n| extend ActingProcessName = extract(@'\\[([A-Za-z0-9.-]+)\\]', 1, RawData)\n| extend ActingProcessThread = extract(@'\\]\\s+\\((.*?)\\)', 1, RawData)\n| extend EventOriginalType = extract(@\"([A-Z]+[0-9]+)(:)\",1, RawData)\n| extend EventMessage = extract(@'\\)\\s([A-Z0-9]+:\\s)?(.*)', 2, RawData)\n| project-away RawData\n",
@@ -561,7 +121,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
- "displayName": "JBossEvent",
+ "displayName": "Parser for JBossEvent",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
@@ -574,7 +134,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "JBossEvent",
+ "displayName": "Parser for JBossEvent",
"category": "Microsoft Sentinel Parser",
"functionAlias": "JBossEvent",
"query": "JBossLogs_CL\n| extend EventVendor = 'Red Hat'\n| extend EventProduct = 'JBoss Enterprise Application Platform'\n| extend EventCount = 1\n| extend EventSchemaVersion = 0.2\n| extend EventSeverity = extract(@'\\d{2},\\d{3}\\s(\\w+)\\s+\\[', 1, RawData)\n| extend ActingProcessName = extract(@'\\[([A-Za-z0-9.-]+)\\]', 1, RawData)\n| extend ActingProcessThread = extract(@'\\]\\s+\\((.*?)\\)', 1, RawData)\n| extend EventOriginalType = extract(@\"([A-Z]+[0-9]+)(:)\",1, RawData)\n| extend EventMessage = extract(@'\\)\\s([A-Z0-9]+:\\s)?(.*)', 2, RawData)\n| project-away RawData\n",
@@ -623,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "JBoss",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe JBoss Enterprise Application Platform data connector provides the capability to ingest JBoss events into Microsoft Sentinel. Refer to Red Hat documentation for more information.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe JBoss Enterprise Application Platform data connector provides the capability to ingest JBoss events into Microsoft Sentinel. Refer to Red Hat documentation for more information.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -652,11 +212,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/JBoss/ReleaseNotes.md b/Solutions/JBoss/ReleaseNotes.md index 43454ac8358..6dfbaf3c98c 100644 --- a/Solutions/JBoss/ReleaseNotes.md +++ b/Solutions/JBoss/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------| +| 3.0.1 | 31-12-2024 | Removed Deprecated **Data connector** | | 3.0.0 | 13-08-2024 | Deprecating data connector | diff --git a/Solutions/JuniperIDP/Data/Solution_JuniperIDP.json b/Solutions/JuniperIDP/Data/Solution_JuniperIDP.json index eb1f86df1de..bc1414b97f5 100644 --- a/Solutions/JuniperIDP/Data/Solution_JuniperIDP.json +++ b/Solutions/JuniperIDP/Data/Solution_JuniperIDP.json @@ -2,19 +2,16 @@ "Name": "JuniperIDP", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [Juniper](https://www.juniper.net/) IDP solution provides the capability to ingest [Juniper IDP](https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-idp-overview.html) events into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [Juniper](https://www.juniper.net/) IDP solution provides the capability to ingest [Juniper IDP](https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-idp-overview.html) events into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Parsers": [
"Parsers/JuniperIDP.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_LogAnalytics_agent_JuniperIDP.json"
-],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\JuniperIDP",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true,
"Is1PConnector": false
}
diff --git a/Solutions/JuniperIDP/Package/3.0.1.zip b/Solutions/JuniperIDP/Package/3.0.1.zip
new file mode 100644
index 00000000000..3f5fc6514aa
Binary files /dev/null and b/Solutions/JuniperIDP/Package/3.0.1.zip differ
diff --git a/Solutions/JuniperIDP/Package/createUiDefinition.json b/Solutions/JuniperIDP/Package/createUiDefinition.json
index 61ebfb78a64..5556d57fa53 100644
--- a/Solutions/JuniperIDP/Package/createUiDefinition.json
+++ b/Solutions/JuniperIDP/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/JuniperIDP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Juniper](https://www.juniper.net/) IDP solution provides the capability to ingest [Juniper IDP](https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-idp-overview.html) events into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/JuniperIDP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Juniper](https://www.juniper.net/) IDP solution provides the capability to ingest [Juniper IDP](https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-idp-overview.html) events into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for JuniperIDP. You can get JuniperIDP custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/JuniperIDP/Package/mainTemplate.json b/Solutions/JuniperIDP/Package/mainTemplate.json
index 958465178c0..bf95f648c93 100644
--- a/Solutions/JuniperIDP/Package/mainTemplate.json
+++ b/Solutions/JuniperIDP/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "JuniperIDP",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-juniperidp",
"_solutionId": "[variables('solutionId')]",
"parserObject1": {
@@ -43,15 +43,6 @@
"parserVersion1": "1.0.0",
"parserContentId1": "JuniperIDP-Parser"
},
- "uiConfigId1": "JuniperIDP",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "JuniperIDP",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -64,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "JuniperIDP Data Parser with template version 3.0.0",
+ "description": "JuniperIDP Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -187,440 +178,17 @@
}
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "JuniperIDP data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Juniper IDP",
- "publisher": "Juniper",
- "descriptionMarkdown": "The [Juniper](https://www.juniper.net/) IDP data connector provides the capability to ingest [Juniper IDP](https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-idp-overview.html) events into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**JuniperIDP**](https://aka.ms/sentinel-JuniperIDP-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "JuniperIDP_CL",
- "baseQuery": "JuniperIDP"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Clients (Source IP)",
- "query": "JuniperIDP\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "JuniperIDP_CL",
- "lastDataReceivedQuery": "JuniperIDP\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "JuniperIDP\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on Kusto Function to work as expected [**JuniperIDP**](https://aka.ms/sentinel-JuniperIDP-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** IDP OS 5.1 and above is supported by this data connector."
- },
- {
- "description": "Install the agent on the Server.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Follow the configuration steps below to get Juniper IDP logs into Microsoft Sentinel. This configuration enriches events generated by Juniper IDP module to provide visibility on log source information for Juniper IDP logs. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Download config file [juniper_idp.conf](https://aka.ms/sentinel-JuniperIDP-conf).\n2. Login to the server where you have installed Azure Log Analytics agent.\n3. Copy juniper_idp.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n4. Edit juniper_idp.conf as follows:\n\n\t i. change the listen port for receiving logs based on your configuration (line 3)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 58,59,60,63)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart\n6. To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502).",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "2. Configure the logs to be collected"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "JuniperIDP",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Juniper IDP",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "JuniperIDP",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Juniper IDP",
- "publisher": "Juniper",
- "descriptionMarkdown": "The [Juniper](https://www.juniper.net/) IDP data connector provides the capability to ingest [Juniper IDP](https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-idp-overview.html) events into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "JuniperIDP_CL",
- "baseQuery": "JuniperIDP"
- }
- ],
- "dataTypes": [
- {
- "name": "JuniperIDP_CL",
- "lastDataReceivedQuery": "JuniperIDP\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "JuniperIDP\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Clients (Source IP)",
- "query": "JuniperIDP\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on Kusto Function to work as expected [**JuniperIDP**](https://aka.ms/sentinel-JuniperIDP-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** IDP OS 5.1 and above is supported by this data connector."
- },
- {
- "description": "Install the agent on the Server.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Follow the configuration steps below to get Juniper IDP logs into Microsoft Sentinel. This configuration enriches events generated by Juniper IDP module to provide visibility on log source information for Juniper IDP logs. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Download config file [juniper_idp.conf](https://aka.ms/sentinel-JuniperIDP-conf).\n2. Login to the server where you have installed Azure Log Analytics agent.\n3. Copy juniper_idp.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n4. Edit juniper_idp.conf as follows:\n\n\t i. change the listen port for receiving logs based on your configuration (line 3)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 58,59,60,63)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart\n6. To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502).",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "2. Configure the logs to be collected"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**JuniperIDP**](https://aka.ms/sentinel-JuniperIDP-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "JuniperIDP",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Juniper IDP solution provides the capability to ingest Juniper IDP events into Microsoft Sentinel.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Juniper IDP solution provides the capability to ingest Juniper IDP events into Microsoft Sentinel.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -649,11 +217,6 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama" diff --git a/Solutions/JuniperIDP/ReleaseNotes.md b/Solutions/JuniperIDP/ReleaseNotes.md index 43454ac8358..6dfbaf3c98c 100644 --- a/Solutions/JuniperIDP/ReleaseNotes.md +++ b/Solutions/JuniperIDP/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------| +| 3.0.1 | 31-12-2024 | Removed Deprecated **Data connector** | | 3.0.0 | 13-08-2024 | Deprecating data connector |