![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SecurityBridgeLogo-Vector-TM_75x75.svg\")
",
- "Description": "The [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
+ "Description": "The [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
"Workbooks": [
"Workbooks/SecurityBridgeThreatDetectionforSAP.json"
],
@@ -12,14 +12,11 @@
"Parsers": [
"Parsers/SecurityBridgeLogs.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_SecurityBridge.json"
- ],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"BasePath": "https://raw.githubusercontent.com/frozenstrawberries/Azure-Sentinel/master/Solutions/SecurityBridge/",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/SecurityBridge App/Package/3.0.1.zip b/Solutions/SecurityBridge App/Package/3.0.1.zip
new file mode 100644
index 00000000000..fd341bb3f9f
Binary files /dev/null and b/Solutions/SecurityBridge App/Package/3.0.1.zip differ
diff --git a/Solutions/SecurityBridge App/Package/createUiDefinition.json b/Solutions/SecurityBridge App/Package/createUiDefinition.json
index 077529849b8..ab9c9a25105 100644
--- a/Solutions/SecurityBridge App/Package/createUiDefinition.json
+++ b/Solutions/SecurityBridge App/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SecurityBridge%20App/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SecurityBridge%20App/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The SecurityBridge App data connector allows you to easily connect your SecurityBridge App logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the SecurityBridgeLogs Kusto Function alias."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/SecurityBridge App/Package/mainTemplate.json b/Solutions/SecurityBridge App/Package/mainTemplate.json
index 35830beabec..97477f24849 100644
--- a/Solutions/SecurityBridge App/Package/mainTemplate.json
+++ b/Solutions/SecurityBridge App/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "christoph.nagy@securitybridge.com",
"_email": "[variables('email')]",
"_solutionName": "SecurityBridge App",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "securitybridge1647511278080.securitybridge-sentinel-app-1",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -52,28 +52,19 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.3",
+ "analyticRuleVersion1": "1.0.4",
"_analyticRulecontentId1": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8c5c766a-ce9b-4112-b6ed-1b8fe33733b7','-', '1.0.3')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8c5c766a-ce9b-4112-b6ed-1b8fe33733b7','-', '1.0.4')))]"
},
"parserObject1": {
- "_parserName1": "[concat(parameters('workspace'),'/','SecurityBridge Threat Detection for SAP Data Parser')]",
- "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridge Threat Detection for SAP Data Parser')]",
+ "_parserName1": "[concat(parameters('workspace'),'/','SecurityBridgeLogs')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridgeLogs')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SecurityBridgeLogs-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "SecurityBridgeLogs-Parser"
},
- "uiConfigId1": "SecurityBridgeSAP",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "SecurityBridgeSAP",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -86,7 +77,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SecurityBridgeThreatDetectionforSAP Workbook with template version 3.0.0",
+ "description": "SecurityBridgeThreatDetectionforSAP Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -174,7 +165,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CriticalEventTriggered_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "CriticalEventTriggered_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -201,12 +192,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "dataTypes": [
- "SecurityBridgeLogs_CL"
- ],
- "connectorId": "SecurityBridgeSAP"
- },
{
"datatypes": [
"SecurityBridgeLogs_CL"
@@ -302,7 +287,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SecurityBridgeLogs Data Parser with template version 3.0.0",
+ "description": "SecurityBridgeLogs Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -338,7 +323,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridge Threat Detection for SAP Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridgeLogs')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -404,7 +389,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridge Threat Detection for SAP Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridgeLogs')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -425,448 +410,17 @@
}
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "SecurityBridge App data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] SecurityBridge Threat Detection for SAP",
- "publisher": "SecurityBridge",
- "descriptionMarkdown": "SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SecurityBridgeLogs",
- "baseQuery": "SecurityBridgeLogs_CL"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Event Names",
- "query": "SecurityBridgeLogs_CL \n| extend Name = tostring(split(RawData, '|')[5]) \n| summarize count() by Name | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "SecurityBridgeLogs_CL",
- "lastDataReceivedQuery": "SecurityBridgeLogs_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SecurityBridgeLogs_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(2d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "*NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SecurityBridgeLogs and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge%20App/Parsers/SecurityBridgeLogs.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using SecurityBridge Application Platform 7.4.0."
- },
- {
- "description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Microsoft Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Configure the custom log directory to be collected",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenCustomLogsSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Select the link above to open your workspace advanced settings \n2. Click **+Add custom**\n3. Click **Browse** to upload a sample of a SecurityBridge SAP log file (e.g. AED_20211129164544.cef). Then, click **Next >**\n4. Select **New Line** as the record delimiter then click **Next >**\n5. Select **Windows** or **Linux** and enter the path to SecurityBridge logs based on your configuration. Example:\n - '/usr/sap/tmp/sb_events/*.cef' \n\n>**NOTE:** You can add as many paths as you want in the configuration.\n\n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **SecurityBridgeLogs** as the custom log Name and click **Done**"
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the SecurityBridgeLogs_CL Custom log table.\n\n>**NOTE:** It may take up to 30 minutes before new logs will appear in SecurityBridgeLogs_CL table.",
- "title": "3. Check logs in Microsoft Sentinel"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "SecurityBridge App",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Christoph Nagy",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Christoph Nagy",
- "email": "christoph.nagy@securitybridge.com",
- "tier": "Partner",
- "link": "https://securitybridge.com/contact/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] SecurityBridge Threat Detection for SAP",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "SecurityBridge App",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Christoph Nagy",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Christoph Nagy",
- "email": "christoph.nagy@securitybridge.com",
- "tier": "Partner",
- "link": "https://securitybridge.com/contact/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] SecurityBridge Threat Detection for SAP",
- "publisher": "SecurityBridge",
- "descriptionMarkdown": "SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SecurityBridgeLogs",
- "baseQuery": "SecurityBridgeLogs_CL"
- }
- ],
- "dataTypes": [
- {
- "name": "SecurityBridgeLogs_CL",
- "lastDataReceivedQuery": "SecurityBridgeLogs_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SecurityBridgeLogs_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(2d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Event Names",
- "query": "SecurityBridgeLogs_CL \n| extend Name = tostring(split(RawData, '|')[5]) \n| summarize count() by Name | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "*NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SecurityBridgeLogs and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge%20App/Parsers/SecurityBridgeLogs.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using SecurityBridge Application Platform 7.4.0."
- },
- {
- "description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Microsoft Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Configure the custom log directory to be collected",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenCustomLogsSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Select the link above to open your workspace advanced settings \n2. Click **+Add custom**\n3. Click **Browse** to upload a sample of a SecurityBridge SAP log file (e.g. AED_20211129164544.cef). Then, click **Next >**\n4. Select **New Line** as the record delimiter then click **Next >**\n5. Select **Windows** or **Linux** and enter the path to SecurityBridge logs based on your configuration. Example:\n - '/usr/sap/tmp/sb_events/*.cef' \n\n>**NOTE:** You can add as many paths as you want in the configuration.\n\n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **SecurityBridgeLogs** as the custom log Name and click **Done**"
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the SecurityBridgeLogs_CL Custom log table.\n\n>**NOTE:** It may take up to 30 minutes before new logs will appear in SecurityBridgeLogs_CL table.",
- "title": "3. Check logs in Microsoft Sentinel"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "SecurityBridge App",
"publisherDisplayName": "Christoph Nagy",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe SecurityBridge App solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe SecurityBridge App solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -905,11 +459,6 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama" diff --git a/Solutions/SecurityBridge App/ReleaseNotes.md b/Solutions/SecurityBridge App/ReleaseNotes.md index 9565a491746..1c8f09758e7 100644 --- a/Solutions/SecurityBridge App/ReleaseNotes.md +++ b/Solutions/SecurityBridge App/ReleaseNotes.md @@ -1,3 +1,4 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|--------------------------------| -| 3.0.0 | 08-08-2024 | Deprecating data connectors | \ No newline at end of file +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-----------------------------------------| +| 3.0.1 | 07-01-2025 | Removed Deprecated **Data connector** | +| 3.0.0 | 08-08-2024 | Deprecating data connectors | \ No newline at end of file diff --git a/Solutions/iboss/Data/Solution_iboss.json b/Solutions/iboss/Data/Solution_iboss.json index 397789ba72e..1fb7b4b2ee5 100644 --- a/Solutions/iboss/Data/Solution_iboss.json +++ b/Solutions/iboss/Data/Solution_iboss.json @@ -2,9 +2,8 @@ "Name": "iboss", "Author": "iboss", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/iboss/Workbooks/Images/Logo/iboss_full-logo_2020_vector_black.svg\"){kind=logo}
",
- "Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
+ "Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.**",
"Data Connectors": [
- "Data Connectors/iboss_cef.json",
"Data Connectors/template_ibossAMA.json"
],
"Parsers": [
@@ -18,7 +17,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\iboss",
- "Version": "3.1.1",
+ "Version": "3.1.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/iboss/Package/3.1.2.zip b/Solutions/iboss/Package/3.1.2.zip
new file mode 100644
index 00000000000..810109c7a1a
Binary files /dev/null and b/Solutions/iboss/Package/3.1.2.zip differ
diff --git a/Solutions/iboss/Package/createUiDefinition.json b/Solutions/iboss/Package/createUiDefinition.json
index 9add50e41a7..a47851e8dde 100644
--- a/Solutions/iboss/Package/createUiDefinition.json
+++ b/Solutions/iboss/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/iboss/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/iboss/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.**\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,13 +63,6 @@
"text": "This Solution installs the data connector for iboss. You can get iboss custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
- {
- "name": "dataconnectors2-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for iboss. You can get iboss custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/iboss/Package/mainTemplate.json b/Solutions/iboss/Package/mainTemplate.json
index 119c6aa69f2..e797835208d 100644
--- a/Solutions/iboss/Package/mainTemplate.json
+++ b/Solutions/iboss/Package/mainTemplate.json
@@ -47,27 +47,18 @@
},
"variables": {
"_solutionName": "iboss",
- "_solutionVersion": "3.1.1",
+ "_solutionVersion": "3.1.2",
"solutionId": "iboss.iboss-sentinel-connector",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "iboss",
+ "uiConfigId1": "ibossAma",
"_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "iboss",
+ "dataConnectorContentId1": "ibossAma",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.1",
+ "dataConnectorVersion1": "1.0.2",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "ibossAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "ibossAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.2",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','ibossUrlEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ibossUrlEvent')]",
@@ -100,7 +91,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "iboss data connector with template version 3.1.1",
+ "description": "iboss data connector with template version 3.1.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -116,334 +107,6 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] iboss via Legacy Agent",
- "publisher": "iboss",
- "descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ibossUrlEvent",
- "baseQuery": "CommonSecurityLog | where DeviceVendor =~ 'iboss' and AdditionalExtensions !contains 'amaExternalLogService=true'"
- }
- ],
- "sampleQueries": [
- {
- "description": "Logs Received from the past week",
- "query": "CommonSecurityLog | where DeviceVendor =~ 'iboss' and TimeGenerated > ago(7d) and AdditionalExtensions !contains 'amaExternalLogService=true'"
- }
- ],
- "dataTypes": [
- {
- "name": "ibossUrlEvent",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor =~ 'iboss' and AdditionalExtensions !contains 'amaExternalLogService=true'\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n | where DeviceVendor =~ 'iboss'\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "If using the iboss gov environment or there is a preference to forward the logs to a dedicated proxy Linux machine, proceed with this step. In all other cases, please advance to step two.",
- "innerSteps": [
- {
- "title": "1.1 Linux Syslog agent configuration",
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"
- },
- {
- "title": "1.2 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the dedicated proxy Linux machine between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.3 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n> 2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Configure a dedicated proxy Linux machine"
- },
- {
- "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
- "title": "2. Forward Common Event Format (CEF) logs"
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace",
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy (Only applicable if a dedicated proxy Linux machine has been configured).\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "f8c448b1-3df4-444d-aded-63e4ad2aec08",
- "version": "1.0.1",
- "kind": "dataConnector",
- "author": {
- "name": "iboss"
- },
- "support": {
- "tier": "Type of support for content item: microsoft | developer | community",
- "name": "iboss",
- "link": "https://www.iboss.com/"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "iboss",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "iboss"
- },
- "support": {
- "name": "iboss",
- "email": "support@iboss.com",
- "tier": "Partner",
- "link": "https://www.iboss.com/contact-us/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] iboss via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "iboss",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "iboss"
- },
- "support": {
- "name": "iboss",
- "email": "support@iboss.com",
- "tier": "Partner",
- "link": "https://www.iboss.com/contact-us/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] iboss via Legacy Agent",
- "publisher": "iboss",
- "descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ibossUrlEvent",
- "baseQuery": "CommonSecurityLog | where DeviceVendor =~ 'iboss' and AdditionalExtensions !contains 'amaExternalLogService=true'"
- }
- ],
- "dataTypes": [
- {
- "name": "ibossUrlEvent",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor =~ 'iboss' and AdditionalExtensions !contains 'amaExternalLogService=true'\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n | where DeviceVendor =~ 'iboss'\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Logs Received from the past week",
- "query": "CommonSecurityLog | where DeviceVendor =~ 'iboss' and TimeGenerated > ago(7d) and AdditionalExtensions !contains 'amaExternalLogService=true'"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "If using the iboss gov environment or there is a preference to forward the logs to a dedicated proxy Linux machine, proceed with this step. In all other cases, please advance to step two.",
- "innerSteps": [
- {
- "title": "1.1 Linux Syslog agent configuration",
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"
- },
- {
- "title": "1.2 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the dedicated proxy Linux machine between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.3 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n> 2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Configure a dedicated proxy Linux machine"
- },
- {
- "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
- "title": "2. Forward Common Event Format (CEF) logs"
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace",
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy (Only applicable if a dedicated proxy Linux machine has been configured).\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "iboss data connector with template version 3.1.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
"title": "iboss via AMA",
"publisher": "iboss",
"descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
@@ -549,12 +212,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
+ "version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "iboss",
@@ -578,27 +241,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "iboss via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
- "[variables('_dataConnectorId2')]"
+ "[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
+ "version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "iboss",
@@ -616,7 +279,7 @@
}
},
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
@@ -709,7 +372,7 @@
"title": "Configure AMA Data Connector"
}
],
- "id": "[variables('_uiConfigId2')]"
+ "id": "[variables('_uiConfigId1')]"
}
}
},
@@ -722,7 +385,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ibossUrlEvent Data Parser with template version 3.1.1",
+ "description": "ibossUrlEvent Data Parser with template version 3.1.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -852,7 +515,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ibossMalwareAndC2 Workbook with template version 3.1.1",
+ "description": "ibossMalwareAndC2 Workbook with template version 3.1.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -870,7 +533,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Malware and C2 Detections\\n\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where EventResult == 'Blocked' and MalwareDetected == 1\\r\\n| where isnotempty(ThreatName)\\r\\n| summarize count() by ThreatName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Top Malware Detection Families\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - malware variants\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1 or CNCDetected == 1\\r\\n| extend EventType = case(MalwareDetected == 1, \\\"Malware\\\", CNCDetected == 1, \\\"C2\\\", \\\"NA\\\")\\r\\n| make-series Detections = count() default = 0 on EventTime from {time_range_picker:start} to {time_range_picker:end} step {time_range_picker:grain} by EventType\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware & C2 Traffic\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"query - malware and c2 detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , FileName\\r\\n , FileSHA256\\r\\n , ThreatName\\r\\n| order by EventTime desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - malware detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where CNCDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , Url\\r\\n| order by EventTime desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"C2 Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - c2 detections\"}],\"fromTemplateId\":\"sentinel-ibossMalwareAndC2Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Malware and C2 Detections\\n\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where EventResult == 'Blocked' and MalwareDetected == 1\\r\\n| where isnotempty(ThreatName)\\r\\n| summarize count() by ThreatName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Top Malware Detection Families\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - malware variants\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1 or CNCDetected == 1\\r\\n| extend EventType = case(MalwareDetected == 1, \\\"Malware\\\", CNCDetected == 1, \\\"C2\\\", \\\"NA\\\")\\r\\n| make-series Detections = count() default = 0 on EventTime from {time_range_picker:start} to {time_range_picker:end} step {time_range_picker:grain} by EventType\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware & C2 Traffic\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"query - malware and c2 detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , FileName\\r\\n , FileSHA256\\r\\n , ThreatName\\r\\n| order by EventTime desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - malware detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where CNCDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , Url\\r\\n| order by EventTime desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"C2 Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - c2 detections\"}],\"fromTemplateId\":\"sentinel-ibossMalwareAndC2Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -939,7 +602,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ibossWebUsage Workbook with template version 3.1.1",
+ "description": "ibossWebUsage Workbook with template version 3.1.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -957,7 +620,7 @@
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Web Usage\\r\\n\\r\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(UrlCategory) and UrlCategory != \\\"-\\\"\\r\\n| extend UrlCategory = split(UrlCategory, \\\", \\\")\\r\\n| mv-expand UrlCategory\\r\\n| summarize count() by tostring(UrlCategory)\",\"size\":3,\"showAnalytics\":true,\"title\":\"URL Categories\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UrlCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - categories query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| sort by EventTime\\r\\n| summarize sum(DstBytes), sum(SrcBytes) by bin(EventTime,{time_range_picker:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth ({time_range_picker:grain} interval)\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"sum_DstBytes\",\"label\":\"Received Bytes\"},{\"seriesName\":\"sum_SrcBytes\",\"label\":\"Sent Bytes\"}],\"showDataPoints\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - bandwidth\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(Domain)\\r\\n| summarize count() by Domain\\r\\n| sort by count_ desc\\r\\n| project Domain = Domain, count = count_\\r\\n| limit 20\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top 20 Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Domain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"rowLimit\":20,\"sortCriteriaField\":\"count\",\"size\":\"auto\"}},\"name\":\"query - top 20 domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by Domain\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by Domain\\r\\n ) on Domain\\r\\n| project Domain, Requests, Trend\\r\\n| order by Requests desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"compositeBarSettings\":{\"labelText\":\"\"}},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"DeviceCustomDate1\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Users\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| summarize sum(DstBytes), sum(SrcBytes), sum(NetworkBytes) by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | make-series Trend = sum(NetworkBytes) default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n ) on SrcUsername\\r\\n| order by sum_NetworkBytes desc\\r\\n| project Username=SrcUsername\\r\\n, Received=sum_DstBytes\\r\\n, Sent=sum_SrcBytes\\r\\n, Total=sum_NetworkBytes\\r\\n, Trend\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth By User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Sent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - bandwidth by user\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Connections by User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - connections by user\"}],\"fromTemplateId\":\"sentinel-ibossWebUsageWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Web Usage\\r\\n\\r\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(UrlCategory) and UrlCategory != \\\"-\\\"\\r\\n| extend UrlCategory = split(UrlCategory, \\\", \\\")\\r\\n| mv-expand UrlCategory\\r\\n| summarize count() by tostring(UrlCategory)\",\"size\":3,\"showAnalytics\":true,\"title\":\"URL Categories\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UrlCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - categories query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| sort by EventTime\\r\\n| summarize sum(DstBytes), sum(SrcBytes) by bin(EventTime,{time_range_picker:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth ({time_range_picker:grain} interval)\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"sum_DstBytes\",\"label\":\"Received Bytes\"},{\"seriesName\":\"sum_SrcBytes\",\"label\":\"Sent Bytes\"}],\"showDataPoints\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - bandwidth\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(Domain)\\r\\n| summarize count() by Domain\\r\\n| sort by count_ desc\\r\\n| project Domain = Domain, count = count_\\r\\n| limit 20\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top 20 Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Domain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"rowLimit\":20,\"sortCriteriaField\":\"count\",\"size\":\"auto\"}},\"name\":\"query - top 20 domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by Domain\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by Domain\\r\\n ) on Domain\\r\\n| project Domain, Requests, Trend\\r\\n| order by Requests desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"compositeBarSettings\":{\"labelText\":\"\"}},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"DeviceCustomDate1\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Users\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| summarize sum(DstBytes), sum(SrcBytes), sum(NetworkBytes) by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | make-series Trend = sum(NetworkBytes) default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n ) on SrcUsername\\r\\n| order by sum_NetworkBytes desc\\r\\n| project Username=SrcUsername\\r\\n, Received=sum_DstBytes\\r\\n, Sent=sum_SrcBytes\\r\\n, Total=sum_NetworkBytes\\r\\n, Trend\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth By User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Sent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - bandwidth by user\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Connections by User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - connections by user\"}],\"fromTemplateId\":\"sentinel-ibossWebUsageWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1022,12 +685,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.1.1",
+ "version": "3.1.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "iboss",
"publisherDisplayName": "iboss",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1, Workbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024.
\nData Connectors: 1, Parsers: 1, Workbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1055,11 +718,6 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/iboss/ReleaseNotes.md b/Solutions/iboss/ReleaseNotes.md index 58d573f3bbc..be36fcc0774 100644 --- a/Solutions/iboss/ReleaseNotes.md +++ b/Solutions/iboss/ReleaseNotes.md @@ -1,4 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.1.2 | 07-01-2025 | Removed Deprecated **Data connector** | +| 3.1.1 | 18-09-2024 | Updated AMA and legacy OMS connector to use new iboss field | +| 3.1.0 | 05-09-2024 | Updated AMA connector with iboss specific instructions | | 3.0.1 | 12-07-2024 | Deprecating data connectors | | 3.0.0 | 20-09-2023 | Addition of new Iboss AMA **Data Connector** |