Merge pull request #266615 from yelevin/yelevin/cef-ama-ga

CEF via AMA to GA

Author: Stacyrch140

.openpublishing.redirection.sentinel.json

@@ -1055,6 +1055,21 @@
             "redirect_url": "/azure/sentinel/normalization-schema-process-event",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/sentinel/connect-cef-ama.md",
+            "redirect_url": "/azure/sentinel/connect-cef-syslog-ama",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/sentinel/connect-cef-syslog.md",
+            "redirect_url": "/azure/sentinel/connect-cef-syslog-ama",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/sentinel/connect-cef-syslog-options.md",
+            "redirect_url": "/azure/sentinel/connect-cef-syslog-ama",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/sentinel/notebooks-with-synapse.md",
             "redirect_url": "/azure/sentinel/notebooks-hunt",

articles/sentinel/TOC.yml

@@ -816,12 +816,8 @@
       href: connect-azure-functions-template.md    
     - name: CEF/Syslog        
       items:
-      - name: CEF/Syslog options
-        href: connect-cef-syslog-options.md
-      - name: CEF via AMA
-        href: connect-cef-ama.md        
-      - name: CEF and Syslog
-        href: connect-cef-syslog.md
+      - name: CEF and Syslog via AMA
+        href: connect-cef-syslog-ama.md        
       - name: CEF over Syslog sources (legacy)
         href: connect-common-event-format.md
       - name: Deploy a log forwarder (legacy)
@@ -1236,6 +1232,8 @@
       href: windows-security-event-id-reference.md
     - name: DNS over AMA reference
       href: dns-ama-fields.md
+    - name: Sample API requests for creating Data Collection Rules (DCRs)
+      href: api-dcr-reference.md
     - name: Microsoft Purview Information Protection reference
       href: microsoft-purview-record-types-activities.md
     - name: Microsoft 365 Defender connector data type support

articles/sentinel/api-dcr-reference.md

@@ -0,0 +1,218 @@
+---
+title: Microsoft Sentinel API request examples for creating Data Collection Rules (DCRs)
+description: See samples of API requests for creating Data Collection Rules and their associations, for use with the Azure Monitor Agent.
+author: yelevin
+ms.author: yelevin
+ms.topic: reference
+ms.date: 03/01/2024
+ms.service: microsoft-sentinel
+---
+# API request examples for creating Data Collection Rules (DCRs)
+
+This article presents some examples of API requests and responses for creating Data Collection Rules (DCRs) and DCR Associations (DCRAs) for use with the Azure Monitor Agent (AMA).
+
+## Syslog/CEF
+
+The following examples are for DCRs using the AMA to collect Syslog and CEF messages.
+
+### Syslog/CEF DCR
+
+These examples are of the API request and response for creating a DCR.
+
+#### Syslog/CEF DCR creation request URL and header
+
+Example:
+
+```http
+PUT https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01?api-version=2022-06-01
+```
+
+#### Syslog/CEF DCR creation request body
+
+The following is an example of a DCR creation request. For each stream—you can have several in one DCR—change the value of the `"Streams"` field according to the source of the messages you want to ingest:
+
+| Log source | `"Streams"` field value |
+| --- | --- |
+| **Syslog** | `"Microsoft-Syslog"` |
+| **CEF** | `"Microsoft-CommonSecurityLog"` |
+| **Cisco ASA** | `"Microsoft-CiscoAsa"` |
+
+```json
+{
+  "location": "centralus",
+  "kind": "Linux",
+  "properties": {
+    "dataSources": {
+      "syslog": [
+        {
+          "name": "localsSyslog",
+          "streams": [
+            "Microsoft-Syslog"
+          ],
+          "facilityNames": [
+            "auth",
+            "local0",
+            "local1",
+            "local2",
+            "local3",
+            "syslog"
+          ],
+          "logLevels": [
+            "Critical",
+            "Alert",
+            "Emergency"
+          ]
+        },
+        {
+          "name": "authprivSyslog",
+          "streams": [
+            "Microsoft-Syslog"
+          ],
+          "facilityNames": [
+            "authpriv"
+          ],
+          "logLevels": [
+            "Error",
+            "Alert",
+            "Critical",
+            "Emergency"
+          ]
+        }
+      ]
+    },
+    "destinations": {
+      "logAnalytics": [
+        {
+          "workspaceResourceId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/Contoso",
+          "workspaceId": "11111111-2222-3333-4444-555555555555",
+          "name": "DataCollectionEvent"
+        }
+      ]
+    },
+    "dataFlows": [
+      {
+        "streams": [
+          "Microsoft-Syslog"
+        ],
+        "destinations": [
+          "DataCollectionEvent"
+        ]
+      }
+    ]
+  }
+}
+```
+
+#### Syslog/CEF DCR creation response
+
+Here's the response you should receive according to the sample request above:
+
+```json
+  {
+    "properties": {
+      "immutableId": "dcr-0123456789abcdef0123456789abcdef",
+      "dataSources": {
+        "syslog": [
+          {
+            "streams": [
+              "Microsoft-Syslog"
+            ],
+            "facilityNames": [
+              "auth",
+              "local0",
+              "local1",
+              "local2",
+              "local3",
+              "syslog"
+            ],
+            "logLevels": [
+              "Critical",
+              "Alert",
+              "Emergency"
+            ],
+            "name": "localsSyslog"
+          },
+          {
+            "streams": [
+              "Microsoft-Syslog"
+            ],
+            "facilityNames": [
+              "authpriv"
+            ],
+            "logLevels": [
+              "Error",
+              "Alert",
+              "Critical",
+              "Emergency"
+            ],
+            "name": "authprivSyslog"
+          }
+        ]
+      },
+      "destinations": {
+        "logAnalytics": [
+          {
+            "workspaceResourceId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/Contoso",
+            "workspaceId": "11111111-2222-3333-4444-555555555555",
+            "name": "DataCollectionEvent"
+          }
+        ]
+      },
+      "dataFlows": [
+        {
+          "streams": [
+            "Microsoft-Syslog"
+          ],
+          "destinations": [
+            "DataCollectionEvent"
+          ]
+        }
+      ],
+      "provisioningState": "Succeeded"
+    },
+    "location": "centralus",
+    "kind": "Linux",
+    "id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01",
+    "name": "Contoso-DCR-01",
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "etag": "\"00000000-0000-0000-0000-000000000000\"",
+    "systemData": {
+    }
+  }
+```
+
+### Syslog/CEF DCRA
+
+#### Syslog/CEF DCRA creation request URL and header
+
+```http
+PUT 
+https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/LogForwarder-VM-1/providers/Microsoft.Insights/dataCollectionRuleAssociations/contoso-dcr-assoc?api-version=2022-06-01
+```
+
+#### Syslog/CEF DCRA creation request body
+
+```json
+{
+  "properties": {
+    "dataCollectionRuleId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01"
+  }
+}
+```
+
+#### Syslog/CEF DCRA creation response
+
+```json
+{
+    "properties": {
+      "dataCollectionRuleId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01"
+    },
+    "id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/LogForwarder-VM-1/providers/Microsoft.Insights/dataCollectionRuleAssociations/contoso-dcr-assoc",
+    "name": "contoso-dcr-assoc",
+    "type": "Microsoft.Insights/dataCollectionRuleAssociations",
+    "etag": "\"00000000-0000-0000-0000-000000000000\"",
+    "systemData": {
+    }
+  }
+```
+