Added links to unified-connector-custom-device

yelevin · yelevin · commit 2f0fea6b25e6 · 2024-12-30T14:49:12.000+02:00
diff --git a/articles/sentinel/unified-connector-custom-device.md b/articles/sentinel/unified-connector-custom-device.md
@@ -259,6 +259,57 @@ Follow these steps to ingest log messages from JuniperIDP:
         ```kusto
         source | parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata | extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata) | extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata) | extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata) | extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata) | extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata) | extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata) | extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata) | extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata) | extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata) | extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata) | extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata) | extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata) | extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata) | extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata) | extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata) | extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata) | extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata) | extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata) | extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata) | extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata) | extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata) | extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata) | extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata) | extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata) | extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata) | extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata) | extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata) | extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata) | extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata) | extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata) | extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata) | extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata) | extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata) | extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata) | extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata) | project-away RawData
         ```
+        
+        The following screenshot shows the complete query in a more readable format:
+
+        ```kusto
+        source
+        | parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata
+        | extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata)
+        | extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata)
+        | extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata)
+        | extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata)
+        | extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata)
+        | extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata)
+        | extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata)
+        | extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata)
+        | extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata)
+        | extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata)
+        | extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata)
+        | extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata)
+        | extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata)
+        | extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata)
+        | extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata)
+        | extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata)
+        | extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata)
+        | extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata)
+        | extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata)
+        | extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata)
+        | extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata)
+        | extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata)
+        | extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata)
+        | extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata)
+        | extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata)
+        | extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata)
+        | extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata)
+        | extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata)
+        | extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata)
+        | extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata)
+        | extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata)
+        | extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata)
+        | extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata)
+        | extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata)
+        | extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata)
+        | project-away RawData
+        ```
+
+        See more information on the following items used in the preceding examples, in the Kusto documentation:
+        - [***parse*** operator](/kusto/query/parse-operator?view=microsoft-sentinel&preserve-view=true)
+        - [***extend*** operator](/kusto/query/extend-operator?view=microsoft-sentinel&preserve-view=true)
+        - [***extract*** function](/kusto/query/extract-function?view=microsoft-sentinel&preserve-view=true)
+        - [***project-away*** operator](/kusto/query/project-away-operator?view=microsoft-sentinel&preserve-view=true)
+
+        [!INCLUDE [kusto-reference-general-no-alert](includes/kusto-reference-general-no-alert.md)]
 
 1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).
 
