Merge pull request #292454 from Saisang/sai-dataconnectors-20241224

Data connectors update 2024-12

Author: v-dirichards

.openpublishing.redirection.json

@@ -4471,6 +4471,11 @@
       "source_path_from_root": "/articles/fasttrack/index.yml",
       "redirect_url": "/azure",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/sentinel/data-connectors/threat-intelligence-upload-indicators-api.md",
+      "redirect_url": "/azure/sentinel/data-connectors/threat-intelligence-upload-api",
+      "redirect_document_id": false
     }
   ]
 }

articles/sentinel/TOC.yml

@@ -362,6 +362,8 @@
       href: data-connectors/cortex-xdr-incidents.md
     - name: Cribl
       href: data-connectors/cribl.md
+    - name: CTERA Syslog
+      href: data-connectors/ctera-syslog.md
     - name: CrowdStrike Falcon Adversary Intelligence (using Azure Functions)
       href: data-connectors/crowdstrike-falcon-adversary-intelligence.md
     - name: Crowdstrike Falcon Data Replicator (using Azure Functions)
@@ -444,6 +446,8 @@
       href: data-connectors/hyas-protect.md
     - name: Holm Security Asset Data (using Azure Functions)
       href: data-connectors/holm-security-asset-data.md
+    - name: IIS Logs of Microsoft Exchange Servers
+      href: data-connectors/iis-logs-of-microsoft-exchange-servers.md
     - name: Illumio SaaS (using Azure Functions)
       href: data-connectors/illumio-saas.md
     - name: Imperva Cloud WAF (using Azure Functions)
@@ -518,8 +522,14 @@
       href: data-connectors/microsoft-purview.md
     - name: Microsoft Purview Information Protection
       href: data-connectors/microsoft-purview-information-protection.md
+    - name: Mimecast Audit (using Azure Functions)
+      href: data-connectors/mimecast-audit.md
     - name: Mimecast Audit & Authentication (using Azure Functions)
       href: data-connectors/mimecast-audit-authentication.md
+    - name: Mimecast Awareness Training (using Azure Functions)
+      href: data-connectors/mimecast-awareness-training.md
+    - name: Mimecast Cloud Integrated (using Azure Functions)
+      href: data-connectors/mimecast-cloud-integrated.md
     - name: Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions)
       href: data-connectors/mimecast-intelligence-for-microsoft-microsoft-sentinel.md
     - name: Mimecast Secure Email Gateway (using Azure Functions)
@@ -600,6 +610,8 @@
       href: data-connectors/seraphic-web-security.md
     - name: Silverfort Admin Console
       href: data-connectors/silverfort-admin-console.md
+    - name: SINEC Security Guard
+      href: data-connectors/sinec-security-guard.md
     - name: Slack Audit (using Azure Functions)
       href: data-connectors/slack-audit.md
     - name: Snowflake (using Azure Functions)
@@ -633,7 +645,7 @@
     - name: Threat Intelligence Platforms
       href: data-connectors/threat-intelligence-platforms.md
     - name: Threat Intelligence Upload Indicators API (Preview)
-      href: data-connectors/threat-intelligence-upload-indicators-api.md
+      href: data-connectors/threat-intelligence-upload-api.md
     - name: Transmit Security Connector (using Azure Functions)
       href: data-connectors/transmit-security-connector.md
     - name: Trend Vision One (using Azure Functions)

articles/sentinel/data-connectors-reference.md

@@ -186,6 +186,10 @@ For more information about the codeless connector platform, see [Create a codele
 
 - [Cribl](data-connectors/cribl.md)
 
+## CTERA Networks Ltd
+
+- [CTERA Syslog](data-connectors/ctera-syslog.md)
+
 ## Crowdstrike
 
 - [CrowdStrike Falcon Adversary Intelligence (using Azure Functions)](data-connectors/crowdstrike-falcon-adversary-intelligence.md)
@@ -377,7 +381,7 @@ For more information about the codeless connector platform, see [Create a codele
 - [Premium Microsoft Defender Threat Intelligence (Preview)](data-connectors/premium-microsoft-defender-threat-intelligence.md)
 - [Threat intelligence - TAXII](data-connectors/threat-intelligence-taxii.md)
 - [Threat Intelligence Platforms](data-connectors/threat-intelligence-platforms.md)
-- [Threat Intelligence Upload Indicators API (Preview)](data-connectors/threat-intelligence-upload-indicators-api.md)
+- [Threat Intelligence Upload Indicators API (Preview)](data-connectors/threat-intelligence-upload-api.md)
 - [Microsoft Defender for IoT](data-connectors/microsoft-defender-for-iot.md)
 - [Windows Firewall](data-connectors/windows-firewall.md)
 - [Windows Firewall Events via AMA (Preview)](data-connectors/windows-firewall-events-via-ama.md)
@@ -398,6 +402,7 @@ For more information about the codeless connector platform, see [Create a codele
 
 - [Exchange Security Insights Online Collector (using Azure Functions)](data-connectors/exchange-security-insights-online-collector.md)
 - [Exchange Security Insights On-Premises Collector](data-connectors/exchange-security-insights-on-premises-collector.md)
+- [IIS Logs of Microsoft Exchange Servers](data-connectors/iis-logs-of-microsoft-exchange-servers.md)
 - [Microsoft Active-Directory Domain Controllers Security Event Logs](data-connectors/microsoft-active-directory-domain-controllers-security-event-logs.md)
 - [Microsoft Exchange Admin Audit Logs by Event Logs](data-connectors/microsoft-exchange-admin-audit-logs-by-event-logs.md)
 - [Microsoft Exchange HTTP Proxy Logs](data-connectors/microsoft-exchange-http-proxy-logs.md)
@@ -408,6 +413,9 @@ For more information about the codeless connector platform, see [Create a codele
 
 ## Mimecast North America
 
+- [Mimecast Audit (using Azure Functions)](data-connectors/mimecast-audit.md)
+- [Mimecast Awareness Training (using Azure Functions)](data-connectors/mimecast-awareness-training.md)
+- [Mimecast Cloud Integrated (using Azure Functions)](data-connectors/mimecast-cloud-integrated.md)
 - [Mimecast Audit & Authentication (using Azure Functions)](data-connectors/mimecast-audit-authentication.md)
 - [Mimecast Secure Email Gateway (using Azure Functions)](data-connectors/mimecast-secure-email-gateway.md)
 - [Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions)](data-connectors/mimecast-intelligence-for-microsoft-microsoft-sentinel.md)
@@ -510,6 +518,10 @@ For more information about the codeless connector platform, see [Create a codele
 
 - [Seraphic Web Security](data-connectors/seraphic-web-security.md)
 
+## Siemens DI Software
+
+- [SINEC Security Guard](data-connectors/sinec-security-guard.md)
+
 ## Silverfort Ltd.
 
 - [Silverfort Admin Console](data-connectors/silverfort-admin-console.md)

articles/sentinel/data-connectors/ctera-syslog.md

@@ -0,0 +1,135 @@
+---
+title: "CTERA Syslog connector for Microsoft Sentinel"
+description: "Learn how to install the connector CTERA Syslog to connect your data source to Microsoft Sentinel."
+author: cwatson-cat
+ms.topic: how-to
+ms.date: 12/24/2024
+ms.service: microsoft-sentinel
+ms.author: cwatson
+ms.collection: sentinel-data-connector
+---
+
+# CTERA Syslog connector for Microsoft Sentinel
+
+The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution.
+ It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations.
+ It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity.
+ Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.
+
+This is autogenerated content. For changes, contact the solution provider.
+
+## Connector attributes
+
+| Connector attribute | Description |
+| --- | --- |
+| **Log Analytics table(s)** | Syslog<br/> |
+| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) |
+| **Supported by** | [CTERA](https://www.ctera.com/) |
+
+## Query samples
+
+**Query to find all denied operations.**
+
+   ```kusto
+Syslog
+
+   | where ProcessName == 'gw-audit'
+
+   | extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
+   |]*)", 1, SyslogMessage)
+
+   | extend Permission = extract("(op=[^
+   |]*)", 1, SyslogMessage)
+
+   | where Permission matches regex @"(?i).*denied.*"
+
+   | summarize Count = count() by Permission
+   ```
+
+**Query to find all delete operations.**
+
+   ```kusto
+Syslog
+
+   | where ProcessName == 'gw-audit'
+
+   | extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
+   |]*)", 1, SyslogMessage)
+
+   | extend Permission = extract("(op=[^
+   |]*)", 1, SyslogMessage)
+
+   | where Permission == "op=delete"
+
+   | summarize Count = count() by Permission
+   ```
+
+**Query to summarize operations by user.**
+
+   ```kusto
+Syslog
+
+   | where ProcessName == 'gw-audit'
+
+   | extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
+   |]*)", 1, SyslogMessage)
+
+   | extend Permission = extract("(op=[^
+   |]*)", 1, SyslogMessage)
+
+   | summarize Count = count() by UserName, Permission
+   ```
+
+**Query to summarize operations by a portal tenant.**
+
+   ```kusto
+Syslog
+
+   | where ProcessName == 'gw-audit'
+
+   | extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
+   |]*)", 1, SyslogMessage)
+
+   | extend Permission = extract("(op=[^
+   |]*)", 1, SyslogMessage)
+
+   | summarize Count = count() by TenantName, Permission
+   ```
+
+**Query to find operations performed by a specific user.**
+
+   ```kusto
+Syslog
+
+   | where ProcessName == 'gw-audit'
+
+   | extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
+   |]*)", 1, SyslogMessage)
+
+   | extend Permission = extract("(op=[^
+   |]*)", 1, SyslogMessage)
+
+   | where UserName == 'user=specific_user'
+
+   | summarize Count = count() by Permission
+   ```
+
+
+
+## Vendor installation instructions
+
+Step 1: Connect CTERA Platform to Syslog
+
+Set up your CTERA portal syslog connection and Edge-Filer Syslog connector
+
+
+Step 2: Install Azure Monitor Agent (AMA) on Syslog Server
+
+Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.
+
+
+
+
+## Next steps
+
+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cteranetworksltd1651947437632.microsoft-sentinel-solution-ctera?tab=Overview) in the Azure Marketplace.

articles/sentinel/data-connectors/iis-logs-of-microsoft-exchange-servers.md

@@ -0,0 +1,67 @@
+---
+title: "IIS Logs of Microsoft Exchange Servers connector for Microsoft Sentinel"
+description: "Learn how to install the connector IIS Logs of Microsoft Exchange Servers to connect your data source to Microsoft Sentinel."
+author: cwatson-cat
+ms.topic: how-to
+ms.date: 12/24/2024
+ms.service: microsoft-sentinel
+ms.author: cwatson
+ms.collection: sentinel-data-connector
+---
+
+# IIS Logs of Microsoft Exchange Servers connector for Microsoft Sentinel
+
+[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.
+
+This is autogenerated content. For changes, contact the solution provider.
+
+## Connector attributes
+
+| Connector attribute | Description |
+| --- | --- |
+| **Log Analytics table(s)** | W3CIISLog<br/> |
+| **Data collection rules support** | Not currently supported |
+| **Supported by** | [Community](https://github.com/Azure/Azure-Sentinel/issues) |
+
+## Query samples
+
+**All Audit logs**
+
+   ```kusto
+W3CIISLog 
+   | sort by TimeGenerated
+   ```
+
+
+
+## Prerequisites
+
+To integrate with IIS Logs of Microsoft Exchange Servers make sure you have: 
+
+- ****: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)
+- **Detailled documentation**: >**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)
+
+
+## Vendor installation instructions
+
+
+> [!NOTE]
+   >  This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)
+
+>This Data Connector is the **option 5** of the wiki.
+
+1.  Download and install the agents needed to collect logs for Microsoft Sentinel
+
+Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.
+
+
+[Option 5] IIS logs of Exchange Servers
+
+Select how to stream IIS logs of Exchange Servers
+
+
+
+
+## Next steps
+
+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights?tab=Overview) in the Azure Marketplace.