Sentinel auto-gen data connectors - add 3 new DCs

Author: cwatson-cat

articles/sentinel/TOC.yml

@@ -291,6 +291,8 @@
         href: data-connectors/aruba-clearpass.md
       - name: Atlassian Confluence Audit (using Azure Function)
         href: data-connectors/atlassian-confluence-audit-using-azure-function.md
+      - name: Atlassian Jira Audit (using Azure Function)
+        href: data-connectors/atlassian-jira-audit-using-azure-function.md
       - name: Auth0 Access Management (using Azure Function)
         href: data-connectors/auth0-access-management-using-azure-function.md
       - name: Automated Logic WebCTRL
@@ -351,6 +353,8 @@
         href: data-connectors/cisco-duo-security-using-azure-function.md
       - name: Cisco Firepower eStreamer
         href: data-connectors/cisco-firepower-estreamer.md
+      - name: Cisco Identity Services Engine
+        href: data-connectors/cisco-identity-services-engine.md
       - name: Cisco Meraki
         href: data-connectors/cisco-meraki.md
       - name: Cisco Secure Email Gateway
@@ -481,6 +485,8 @@
         href: data-connectors/imperva-cloud-waf-using-azure-function.md
       - name: Infoblox Cloud Data Connector
         href: data-connectors/infoblox-cloud-data-connector.md
+      - name: Infoblox NIOS
+        href: data-connectors/infoblox-nios.md
       - name: InfoSecGlobal Data Connector
         href: data-connectors/infosecglobal-data-connector.md
       - name: ISC Bind

articles/sentinel/data-connectors-reference.md

@@ -3,7 +3,7 @@ title: Find your Microsoft Sentinel data connector | Microsoft Docs
 description: Learn about specific configuration steps for Microsoft Sentinel data connectors.
 author: cwatson-cat
 ms.topic: reference
-ms.date: 03/25/2023
+ms.date: 04/18/2023
 ms.author: cwatson
 ---
 
@@ -84,6 +84,7 @@ Data connectors are available as part of the following offerings:
 ## Atlassian
 
 - [Atlassian Confluence Audit (using Azure Function)](data-connectors/atlassian-confluence-audit-using-azure-function.md)
+- [Atlassian Jira Audit (using Azure Function)](data-connectors/atlassian-jira-audit-using-azure-function.md)
 
 ## Auth0
 
@@ -119,6 +120,7 @@ Data connectors are available as part of the following offerings:
 - [Cisco ASA](data-connectors/cisco-asa.md)
 - [Cisco ASA/FTD via AMA (Preview)](data-connectors/cisco-asa-ftd-via-ama.md)
 - [Cisco Duo Security (using Azure Function)](data-connectors/cisco-duo-security-using-azure-function.md)
+- [Cisco Identity Services Engine](data-connectors/cisco-identity-services-engine.md)
 - [Cisco Meraki](data-connectors/cisco-meraki.md)
 - [Cisco Secure Email Gateway](data-connectors/cisco-secure-email-gateway.md)
 - [Cisco Secure Endpoint (AMP) (using Azure Function)](data-connectors/cisco-secure-endpoint-amp-using-azure-function.md)
@@ -226,7 +228,7 @@ Data connectors are available as part of the following offerings:
 
 - [ExtraHop Reveal(x)](data-connectors/extrahop-reveal-x.md)
 
-## F5 Networks
+## F5, Inc.
 
 - [F5 BIG-IP](data-connectors/f5-big-ip.md)
 - [F5 Networks](data-connectors/f5-networks.md)
@@ -284,6 +286,10 @@ Data connectors are available as part of the following offerings:
 
 - [Imperva Cloud WAF (using Azure Function)](data-connectors/imperva-cloud-waf-using-azure-function.md)
 
+## Infoblox
+
+- [Infoblox NIOS](data-connectors/infoblox-nios.md)
+
 ## Infoblox Inc.
 
 - [Infoblox Cloud Data Connector](data-connectors/infoblox-cloud-data-connector.md)

articles/sentinel/data-connectors/atlassian-jira-audit-using-azure-function.md

@@ -0,0 +1,136 @@
+---
+title: "Atlassian Jira Audit (using Azure Function) connector for Microsoft Sentinel"
+description: "Learn how to install the connector Atlassian Jira Audit (using Azure Function) to connect your data source to Microsoft Sentinel."
+author: cwatson-cat
+ms.topic: how-to
+ms.date: 04/18/2023
+ms.service: microsoft-sentinel
+ms.author: cwatson
+---
+
+# Atlassian Jira Audit (using Azure Function) connector for Microsoft Sentinel
+
+The [Atlassian Jira](https://www.atlassian.com/software/jira) Audit data connector provides the capability to ingest [Jira Audit Records](https://support.atlassian.com/jira-cloud-administration/docs/audit-activities-in-jira-applications/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.
+
+## Connector attributes
+
+| Connector attribute | Description |
+| --- | --- |
+| **Application settings** | JiraUsername<br/>JiraAccessToken<br/>JiraHomeSiteName<br/>WorkspaceID<br/>WorkspaceKey<br/>logAnalyticsUri (optional) |
+| **Azure function app code** | https://aka.ms/sentinel-jiraauditapi-functionapp |
+| **Kusto function alias** | JiraAudit |
+| **Kusto function url** | https://aka.ms/sentinel-jiraauditapi-parser |
+| **Log Analytics table(s)** | Jira_Audit_CL<br/> |
+| **Data collection rules support** | Not currently supported |
+| **Supported by** | [Microsoft Corporation](https://support.microsoft.com) |
+
+## Query samples
+
+**Jira Audit Events - All Activities**
+   ```kusto
+JiraAudit
+ 
+   | sort by TimeGenerated desc
+   ```
+
+
+
+## Prerequisites
+
+To integrate with Atlassian Jira Audit (using Azure Function) make sure you have: 
+
+- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://learn.microsoft.com/azure/azure-functions/).
+- **REST API Credentials/permissions**: **JiraAccessToken**, **JiraUsername** is required for REST API. [See the documentation to learn more about API](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/). Check all [requirements and follow  the instructions](https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#authentication) for obtaining credentials.
+
+
+## Vendor installation instructions
+
+
+> [!NOTE]
+   >  This connector uses Azure Functions to connect to the Jira REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.
+
+
+>**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://learn.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.
+
+
+> [!NOTE]
+   >  This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-jiraauditapi-parser) to create the Kusto functions alias, **JiraAudit**
+
+
+**STEP 1 - Configuration steps for the Jira API**
+
+ [Follow the instructions](https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#authentication) to obtain the credentials. 
+
+
+
+**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**
+
+>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).
+
+
+
+Option 1 - Azure Resource Manager (ARM) Template
+
+Use this method for automated deployment of the Jira Audit data connector using an ARM Tempate.
+
+1. Click the **Deploy to Azure** button below. 
+
+	[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineljiraauditazuredeploy)
+2. Select the preferred **Subscription**, **Resource Group** and **Location**. 
+> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.
+3. Enter the **JiraAccessToken**, **JiraUsername**, **JiraHomeSiteName** (short site name part, as example HOMESITENAME from https://HOMESITENAME.atlassian.net) and deploy. 
+4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. 
+5. Click **Purchase** to deploy.
+
+Option 2 - Manual Deployment of Azure Functions
+
+Use the following step-by-step instructions to deploy the Jira Audit data connector manually with Azure Functions (Deployment via Visual Studio Code).
+
+
+**1. Deploy a Function App**
+
+> **NOTE:** You will need to [prepare VS code](https://learn.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.
+
+1. Download the [Azure Function App](https://aka.ms/sentinel-jiraauditapi-functionapp) file. Extract archive to your local development computer.
+2. Start VS Code. Choose File in the main menu and select Open Folder.
+3. Select the top level folder from extracted files.
+4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.
+If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**
+If you're already signed in, go to the next step.
+5. Provide the following information at the prompts:
+
+	a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.
+
+	b. **Select Subscription:** Choose the subscription to use.
+
+	c. Select **Create new Function App in Azure** (Don't choose the Advanced option)
+
+	d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. JiraAuditXXXXX).
+
+	e. **Select a runtime:** Choose Python 3.8.
+
+	f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.
+
+6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.
+7. Go to Azure Portal for the Function App configuration.
+
+
+**2. Configure the Function App**
+
+1. In the Function App, select the Function App Name and select **Configuration**.
+2. In the **Application settings** tab, select ** New application setting**.
+3. Add each of the following application settings individually, with their respective string values (case-sensitive): 
+		JiraUsername
+		JiraAccessToken
+		JiraHomeSiteName
+		WorkspaceID
+		WorkspaceKey
+		logAnalyticsUri (optional)
+> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.
+3. Once all application settings have been entered, click **Save**.
+
+
+
+## Next steps
+
+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-atlassianjiraaudit?tab=Overview) in the Azure Marketplace.

articles/sentinel/data-connectors/cisco-identity-services-engine.md

@@ -0,0 +1,68 @@
+---
+title: "Cisco Identity Services Engine connector for Microsoft Sentinel"
+description: "Learn how to install the connector Cisco Identity Services Engine to connect your data source to Microsoft Sentinel."
+author: cwatson-cat
+ms.topic: how-to
+ms.date: 04/18/2023
+ms.service: microsoft-sentinel
+ms.author: cwatson
+---
+
+# Cisco Identity Services Engine connector for Microsoft Sentinel
+
+The Cisco Identity Services Engine (ISE) data connector provides the capability to ingest [Cisco ISE](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html) events with Microsoft Sentinel. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. Refer to [Cisco ISE logging mechanism documentation](https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_maintain_monitor.html#reference_BAFBA5FA046A45938810A5DF04C00591) for more information.
+
+## Connector attributes
+
+| Connector attribute | Description |
+| --- | --- |
+| **Kusto function alias** | CiscoISEEvent |
+| **Kusto function url** | https://aka.ms/sentinel-ciscoise-parser |
+| **Log Analytics table(s)** | Syslog(CiscoISE)<br/> |
+| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) |
+| **Supported by** | [Microsoft Corporation](https://support.microsoft.com) |
+
+## Query samples
+
+**Top 10 Reporting Devices**
+   ```kusto
+CiscoISEEvent
+ 
+   | summarize count() by DvcHostname
+ 
+   | top 10 by count_
+   ```
+
+
+
+## Vendor installation instructions
+
+
+> [!NOTE]
+   >  This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ciscoise-parser) to create the Kusto Functions alias, **CiscoISEEvent**
+
+1. Install and onboard the agent for Linux
+
+Typically, you should install the agent on a different computer from the one on which the logs are generated.
+
+>  Syslog logs are collected only from **Linux** agents.
+
+
+2. Configure the logs to be collected
+
+Configure the facilities you want to collect and their severities.
+
+1.  Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.
+2.  Select **Apply below configuration to my machines** and select the facilities and severities.
+3.  Click **Save**.
+
+
+3. Configure Cisco ISE Remote Syslog Collection Locations
+
+[Follow these instructions](https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_maintain_monitor.html#ID58) to configure remote syslog collection locations in your Cisco ISE deployment.
+
+
+
+## Next steps
+
+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-ciscoise?tab=Overview) in the Azure Marketplace.

articles/sentinel/data-connectors/infoblox-nios.md

@@ -0,0 +1,79 @@
+---
+title: "Infoblox NIOS connector for Microsoft Sentinel"
+description: "Learn how to install the connector Infoblox NIOS to connect your data source to Microsoft Sentinel."
+author: cwatson-cat
+ms.topic: how-to
+ms.date: 04/18/2023
+ms.service: microsoft-sentinel
+ms.author: cwatson
+---
+
+# Infoblox NIOS connector for Microsoft Sentinel
+
+The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) connector allows you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
+
+## Connector attributes
+
+| Connector attribute | Description |
+| --- | --- |
+| **Log Analytics table(s)** | Syslog (InfobloxNIOS)<br/> |
+| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) |
+| **Supported by** | [Infoblox](https://www.infoblox.com/support/) |
+
+## Query samples
+
+**Total Count by DHCP Request Message Types**
+   ```kusto
+union isfuzzy=true 
+ Infoblox_dhcpdiscover,Infoblox_dhcprequest,Infoblox_dhcpinform 
+
+   | summarize count() by Log_Type
+   ```
+
+**Top 5 Source IP address**
+   ```kusto
+Infoblox_dnsclient 
+ 
+   | summarize count() by SrcIpAddr 
+ 
+   | top 10 by count_ desc
+   ```
+
+
+
+## Prerequisites
+
+To integrate with Infoblox NIOS make sure you have: 
+
+- **Infoblox NIOS**: must be configured to export logs via Syslog
+
+
+## Vendor installation instructions
+
+
+**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Infoblox and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Parser/Infoblox.txt), on the second line of the query, enter the hostname(s) of your Infoblox device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.
+
+1. Install and onboard the agent for Linux
+
+Typically, you should install the agent on a different computer from the one on which the logs are generated.
+
+>  Syslog logs are collected only from **Linux** agents.
+
+
+2. Configure the logs to be collected
+
+Configure the facilities you want to collect and their severities.
+ 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.
+ 2. Select **Apply below configuration to my machines** and select the facilities and severities.
+ 3.  Click **Save**.
+
+
+3. Configure and connect the Infoblox NIOS
+
+[Follow these instructions](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-slog-and-snmp-configuration-for-nios.pdf) to enable syslog forwarding of Infoblox NIOS Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.
+
+
+
+## Next steps
+
+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-infobloxnios?tab=Overview) in the Azure Marketplace.