Merge pull request #104623 from rkarlin/sentinel-rsa-updates

preeti updates new connectors

Author: PMEds28

articles/sentinel/TOC.yml

@@ -54,6 +54,8 @@
         href: connect-azure-atp.md
       - name: Azure Security Center
         href: connect-azure-security-center.md
+      - name: Azure Security Center for IoT
+        href: connect-asc-iot.md
       - name: Domain name server
         href: connect-dns.md
       - name: Microsoft web application firewall
@@ -65,17 +67,23 @@
     - name: Connect external solutions
       items:
       - name: Barracuda
-        href: connect-barracuda.md
-      - name: F5 BIG-IP
-        href: connect-f5-big-ip.md
-      - name: Syslog
-        href: connect-syslog.md
-      - name: Symantec ICDX
-        href: connect-symantec.md
+        href: connect-barracuda.md 
       - name: Barracuda CloudGen Firewall
         href: connect-barracuda-cloudgen-firewall.md
       - name: Citrix Analytics (Security)
         href: connect-citrix-analytics.md
+      - name: F5 BIG-IP
+        href: connect-f5-big-ip.md
+      - name: Forcepoint DLP
+        href: connect-forcepoint-dlp.md 
+      - name: Squadra Technologies secRMM
+        href: connect-squadra-secrmm.md
+      - name: Symantec ICDX
+        href: connect-symantec.md
+      - name: Syslog
+        href: connect-syslog.md
+      - name: Zimperium Mobile Threat Defense
+        href: connect-zimperium-mtd.md
       - name: CEF-based solutions
         href: connect-common-event-format.md
         items:  
@@ -92,6 +100,8 @@
             href: connect-extrahop.md
           - name: F5 
             href: connect-f5.md  
+          - name: Forcepoint products
+            href: connect-forcepoint-casb-ngfw.md
           - name: Fortinet
             href: connect-fortinet.md
           - name: One Identity Safeguard

articles/sentinel/connect-asc-iot.md

@@ -0,0 +1,71 @@
+---
+title: Connect Azure Security Center for IoT to Azure Sentinel | Microsoft Docs
+description: Learn how to connect Azure Security Center for IoT data to Azure Sentinel.
+services: sentinel
+documentationcenter: na
+author: rkarlin
+manager: rkarlin
+editor: ''
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 02/18/2020
+ms.author: rkarlin
+
+---
+
+
+# Connect your data from Azure Security Center for IoT to Azure Sentinel 
+
+
+> [!IMPORTANT]
+> The Azure Security Center for IoT data connector is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+Use the Azure Security Center for IoT connector to stream all your Azure Security Center for IoT events into Azure Sentinel. 
+
+## Prerequisites
+
+- **Read** and **Write** permissions on the Workspace onto which Azure Sentinel is deployed
+- **Azure Security Center for IoT** must be **enabled** on your relevant IoT Hub(s)
+- **Read** and **Write** permissions on the **Azure IoT Hub** you want to connect
+- **Read** and **Write** permissions on the **Azure IoT Hub resource group**
+
+> [!NOTE]
+> While you must enable the Azure Security Center **Standard** tier license on your subscription to stream IoT resource alerts to Azure Sentinel, you only need to enable the Azure Security Center **Free** tier license on your subscription to view Azure Security Center for IoT alerts in Azure Sentinel. 
+
+## Connect to Azure Security Center for IoT
+
+1. In Azure Sentinel, select **Data connectors** and then click the **Azure Security Center for IoT** tile.
+1. From the bottom right pane, click **Open connector page**. 
+1. Click **Connect**, next to each IoT Hub subscription whose alerts and device alerts you want to stream into Azure Sentinel. 
+    - If Azure Security Center for IoT is not enabled on that Hub, you’ll see an **Enable** warning message. Click the **Enable** link to start the service. 
+1. You can decide whether you want the alerts from Azure Security Center for IoT to automatically generate incidents in Azure Sentinel. Under **Create incidents**,  select **Enable** to enable the default analytic rule to create incidents automatically from alerts generated in the connected security service.This rule can be changed or edited under **Analytics** > **Active** rules.
+
+> [!NOTE]
+> It can take some time for the hub list to refresh after making connection changes. 
+
+## Log Analytics alert display
+
+To use the relevant schema in Log Analytics to display  the Azure Security Center for IoT alerts:
+
+1. Open **Logs** > **SecurityInsights** > **SecurityAlert**, or search for **SecurityAlert**. 
+2. Filter to see only Azure Security Center for IoT generated alerts using the following kql filter:
+
+```kusto
+SecurityAlert | where ProductName == "Azure Security Center for IoT"
+``` 
+
+### Service notes
+
+After connecting an IoT Hub, the hub data is available in Azure Sentinel approximately 15 minutes later.
+
+
+## Next steps
+
+In this document, you learned how to connect Azure Security Center for IoT data to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.

articles/sentinel/connect-data-sources.md

@@ -41,35 +41,46 @@ The following data connection methods are supported by Azure Sentinel:
 
 - **Service to service integration**:<br> Some services are connected natively, such as AWS and Microsoft services, these services leverage the Azure foundation for out-of-the box integration, the following solutions can be connected in a few clicks:
     - [Amazon Web Services - CloudTrail](connect-aws.md)
-    - [Office 365](connect-office-365.md)
-    - [Azure AD audit logs and sign-ins](connect-azure-active-directory.md)
     - [Azure Activity](connect-azure-activity.md)
+    - [Azure AD audit logs and sign-ins](connect-azure-active-directory.md)
     - [Azure AD Identity Protection](connect-azure-ad-Identity-protection.md)
-    - [Azure Security Center](connect-azure-security-center.md)
-    - [Azure Information Protection](connect-azure-information-protection.md)
     - [Azure Advanced Threat Protection](connect-azure-atp.md)
+    - [Azure Information Protection](connect-azure-information-protection.md)
+    - [Azure Security Center](connect-azure-security-center.md)
     - [Cloud App Security](connect-cloud-app-security.md)
+    - [Domain name server](connect-dns.md)
+    - [Office 365](connect-office-365.md)
+    - [Microsoft Defender ATP](connect-microsoft-defender-advanced-threat-protection.md)
+    - [Microsoft web application firewall](connect-microsoft-waf.md)
     - [Windows security events](connect-windows-security-events.md) 
     - [Windows firewall](connect-windows-firewall.md)
+    - [Windows security events](connect-windows-security-events.md)
 
 - **External solutions via API**: Some data sources are connected using APIs that are provided by the connected data source. Typically, most security technologies provide a set of APIs through which event logs can be retrieved.The APIs connect to Azure Sentinel and gather specific data types and send them to Azure Log Analytics. Appliances connected via API include:
     - [Barracuda](connect-barracuda.md)
-    - [Symantec](connect-symantec.md)
+    - [Barracuda CloudGen Firewall](connect-barracuda-cloudgen-firewall.md)
     - [Citrix Analytics (Security)](connect-citrix-analytics.md)
+    - [F5 BIG-IP](connect-f5-big-ip.md)
+    - [Forcepoint DLP](connect-forcepoint-dlp.md)
+    - [Squadra Technologies secRMM](connect-squadra-secrmm.md)
+    - [Symantec ICDX](connect-symantec.md)
+    - [Zimperium](connect-zimperium-mtd.md)
+
 
 - **External solutions via agent**: Azure Sentinel can be connected to all other data sources that can perform real-time log streaming using the Syslog protocol, via an agent. <br>Most appliances use the Syslog protocol to send event messages that include the log itself and data about the log. The format of the logs varies, but most appliances support the Common Event Format (CEF) based formatting for logs data. <br>The Azure Sentinel agent, which is based on the Log Analytics agent, converts CEF formatted logs into a format that can be ingested by Log Analytics. Depending on the appliance type, the agent is installed either directly on the appliance, or on a dedicated Linux server. The agent for Linux receives events from the Syslog daemon over UDP, but if a Linux machine is expected to collect a high volume of Syslog events, they are sent over TCP from the Syslog daemon to the agent and from there to Log Analytics.
     - Firewalls, proxies, and endpoints:
-        - [F5](connect-f5.md)
         - [Check Point](connect-checkpoint.md)
         - [Cisco ASA](connect-cisco.md)
+        - [ExtraHop Reveal(x)](connect-extrahop.md)
+        - [F5](connect-f5.md)
+        - [Forcepoint products](connect-forcepoint-casb-ngfw.md)
         - [Fortinet](connect-fortinet.md)
-        - [Palo Alto](connect-paloalto.md)
+        - [Palo Alto Networks](connect-paloalto.md)
+        - [One Identity Safeguard](connect-one-identity.md)
         - [Other CEF appliances](connect-common-event-format.md)
         - [Other Syslog appliances](connect-syslog.md)
-        - [Barracuda CloudGen Firewall](connect-barracuda-cloudgen-firewall.md)
-        - [ExtraHop Reveal(x)](connect-extrahop.md)
-        - [One Identity Safeguard](connect-one-identity.md)
         - [Trend Micro Deep Security](connect-trend-micro.md)
+        - [Zscaler](connect-zscaler.md)
     - DLP solutions
     - [Threat intelligence providers](connect-threat-intelligence.md)
     - [DNS machines](connect-dns.md) - agent installed directly on the DNS machine

articles/sentinel/connect-forcepoint-casb-ngfw.md

@@ -0,0 +1,57 @@
+---
+title: Connect Forcepoint products to Azure Sentinel| Microsoft Docs
+description: Learn how to connect Forcepoint products to Azure Sentinel.
+services: sentinel
+author: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 02/20/2020
+ms.author: rkarlin
+
+---
+
+
+# Connect your Forcepoint products to Azure Sentinel
+
+> [!IMPORTANT]
+> The Forcepoint products data connector in Azure Sentinel is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+
+This article explains how to connect your Forcepoint products to Azure Sentinel. 
+
+The Forcepoint data connectors allow you to connect Forcepoint Cloud Access Security Broker and Forcepoint Next Generation Firewall logs with Azure Sentinel. In this way you can automatically export user-defined logs into Azure Sentinel in real time. The connector gives you enriched visibility into user activities recorded by Forcepoint products. It also enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.
+
+> [!NOTE]
+> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
+
+​
+
+## Forward Forcepoint product logs to the Syslog agent 
+
+​Configure the Forcepoint product to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent.
+
+1. Set up the Forcepoint product to Azure Sentinel integration as described in the following installation guides:
+ - [Forcepoint CASB Integration Guide](https://frcpnt.com/casb-sentinel)
+ - [Forcepoint NGFW Integration Guide](https://frcpnt.com/ngfw-sentinel)
+
+2. Search for CommonSecurityLog to use the relevant schema in Log Analytics with DeviceVendor name contains 'Forcepoint'. 
+
+3. Continue to [STEP 3: Validate connectivity](connect-cef-verify.md).
+
+
+
+## Next steps
+
+In this document, you learned how to connect Forcepoint products to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.

articles/sentinel/connect-forcepoint-dlp.md

@@ -0,0 +1,55 @@
+---
+title: Connect Forcepoint DLP to Azure Sentinel| Microsoft Docs
+description: Learn how to connect Forcepoint DLP to Azure Sentinel.
+services: sentinel
+author: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 02/20/2020
+ms.author: rkarlin
+
+---
+
+
+# Connect your Forcepoint DLP to Azure Sentinel
+
+> [!IMPORTANT]
+> The Forcepoint Data Loss Prevention (DLP) data connector in Azure Sentinel is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+
+
+The Forcepoint DLP connector lets you automatically export DLP incident-data into Azure Sentinel. You can use it to get visibility into user activities and data loss incidents. It also enables correlations with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.
+​
+> [!NOTE]
+> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
+
+## Configure and connect Forcepoint DLP
+
+​Configure Forcepoint DLP to forward incident data in JSON format to your Azure workspace via REST API as explained in the [Forcepoint DLP Integration Guide](https://frcpnt.com/dlp-sentinel).
+
+​
+## Find your data
+
+After the Forcepoint DLP connector is set up, the data appears in Log Analytics under CustomLogs **ForcepointDLPEvents_CL**.
+
+
+To use the relevant schema in Log Analytics for Forcepoint DLP, search for **ForcepointDLPEvents_CL**.
+
+​
+## Validate connectivity
+​
+It may take upwards of 20 minutes until your logs start to appear in Log Analytics.
+
+## Next steps
+
+In this document, you learned how to connect Forcepoint DLP to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.

articles/sentinel/connect-squadra-secrmm.md

@@ -0,0 +1,55 @@
+---
+title: Connect Squadra Technologies secRMM data to Azure Sentinel| Microsoft Docs
+description: Learn how to connect Squadra Technologies secRMM data to Azure Sentinel.
+services: sentinel
+author: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 02/20/2020
+ms.author: rkarlin
+
+---
+
+# Connect your Squadra Technologies secRMM data to Azure Sentinel 
+
+> [!IMPORTANT]
+> The Squadra Technologies Security Removable Media Manager (secRMM) data connector in Azure Sentinel is currently in public preview.
+> This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. 
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+
+The Squadra Technologies secRMM connector allows you to easily connect your Squadra Technologies secRMM security solution logs with Azure Sentinel. It lets you view dashboards, create custom alerts, and improve investigation. This connector gives you  insights into USB removable storage events. Integration between Squadra Technologies secRMM and Azure Sentinel makes use of REST API.
+
+
+> [!NOTE]
+> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
+
+## Configure and connect Squadra Technologies secRMM 
+
+Squadra Technologies secRMM can integrate and export logs directly to Azure Sentinel.
+1. In the Azure Sentinel portal, click Data connectors and select Squadra Technologies secRMM and then Open connector page.
+
+2. Follow the steps outlined in the [Squadra Technologies onboarding guide for Azure Sentinel](http://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.9.0.0/secRMMAzureSentinelAdministratorGuide.pdf) to get Squadra secRMM data in Azure Sentinel.   
+
+
+## Find your data
+
+After a successful connection is established, the data appears in Log Analytics under CustomLogs secRMM_CL.
+To use the relevant schema in Log Analytics for the Squadra Technologies secRMM, search for secRMM_CL.
+
+## Validate connectivity
+It may take upwards of 20 minutes until your logs start to appear in Log Analytics. 
+
+
+## Next steps
+In this document, you learned how to connect Squadra Technologies secRMM to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
+