Merge pull request #88425 from cabailey/cabailey-azuredocs-syslog

Add new procedure to Syslog connector for anomalous SSH login detection

Author: ktoliver

articles/sentinel/connect-syslog.md

@@ -1,5 +1,5 @@
 ---
-title: Connect Syslog data to Azure Sentinel| Microsoft Docs
+title: Connect Syslog data to Azure Sentinel | Microsoft Docs
 description: Learn how to connect Syslog data to Azure Sentinel.
 services: sentinel
 documentationcenter: na
@@ -19,8 +19,6 @@ ms.author: rkarlin
 ---
 # Connect your external solution using Syslog
 
-
-
 You can connect any on-premises appliance that supports Syslog to Azure Sentinel. This is done by using an agent based on a Linux machine between the appliance and Azure Sentinel. If your Linux machine is in Azure, you can stream the logs from your appliance or application to a dedicated workspace you create in Azure and connect it. If your Linux machine is not in Azure, you can stream the logs from your appliance to a dedicated on premises VM or machine onto which you install the Agent for Linux. 
 
 > [!NOTE]
@@ -37,28 +35,64 @@ For more information, see [Syslog data sources in Azure Monitor](../azure-monito
 
 ## Connect your Syslog appliance
 
-1. In the Azure Sentinel portal, select **Data connectors** and select the **Syslog** line in the table and in the Syslog pane to the right, click **Open connector page**.
-2. If your Linux machine is within Azure, select **Download and install agent on Azure Linux virtual machine**. In the Virtual machines window, select the machines on which you want to install the agent and click **Connect** at the top.
-1. If your Linux machine not within Azure, select **Download and install agent on Linux non-Azure machine**. In the **Direct agent** window, copy the command under **Download and onboard agent for Linux** and run it on your machine. 
+1. In Azure Sentinel, select **Data connectors** and then select the **Syslog** connector.
+
+2. On the **Syslog** blade, select **Open connector page**.
+
+3. Install the Linux agent:
+    
+    - If your Linux virtual machine is in Azure, select **Download and install agent on Azure Linux virtual machine**. In the **Virtual machines** blade, select the virtual machines to install the agent on, and then click **Connect**.
+    - If your Linux machine isn't in Azure, select **Download and install agent on Linux non-Azure machine**. In the **Direct agent** blade, copy the command for **DOWNLOAD AND ONBOARD AGENT FOR LINUX** and run it on your computer. 
+    
    > [!NOTE]
-   > Make sure to configure the machine's security according to your organization's security policy. For example, you can configure your network to align with your corporate network security policy and change the ports and protocols in the daemon to align with your requirements. 
+   > Make sure you configure security settings for these computers according to your organization's security policy. For example, you can configure the network settings to align with your organization's network security policy, and change the ports and protocols in the daemon to align with the security requirements.
+
+4. Select **Open your workspace advanced settings configuration**.
+
+5. On the **Advanced settings** blade, select **Data** > **Syslog**. Then add the facilities for the connector to collect.
+    
+    Add the facilities that your syslog appliance includes in its log headers. You can see this configuration in your Syslog appliance in **Syslog-d** in the `/etc/rsyslog.d/security-config-omsagent.conf` folder, and in **r-Syslog** from `/etc/syslog-ng/security-config-omsagent.conf`.
+    
+    If you want to use anomalous SSH login detection with the data that you collect, add **auth** and **authpriv**. See the [following section](#configure-the-syslog-connector-for-anomalous-ssh-login-detection) for additional details.
+
+6. When you have added all the facilities that you want to monitor, and adjusted any severity options for each one, select the checkbox **Apply below configuration to my machines**.
+
+7. Select **Save**. 
+
+8. On your syslog appliance, make sure you're sending the facilities that you specified.
+
+9. To use the relevant schema in Azure Monitor for the syslog logs, search for **Syslog**.
+
+10. You can use the Kusto function described in [Using functions in Azure Monitor log queries](../azure-monitor/log-query/functions.md) to parse your Syslog messages. You can then save them as a new Log Analytics function to use as a new data type.
+
+### Configure the Syslog connector for anomalous SSH login detection
 
-1. Under **Configure the logs to be connected** in the Syslog connector setup window, follow the instructions:
-    1. Click the link to **Open your workspace advanced settings configuration**. 
-    1. Select **Data**, followed by **Syslog**.
-    1. Then, in the table set which facilities you want Syslog to collect. You should either add or select the facilities that your Syslog appliance includes in its log headers. You can see this configuration in your Syslog appliance in Syslog-d in the folder: /etc/rsyslog.d/security-config-omsagent.conf, and in r-Syslog under /etc/syslog-ng/security-config-omsagent.conf. 
-       > [!NOTE]
-       > If you select the checkbox to **Apply below configuration to my machines**, then this configuration will apply to all the Linux machines connected to this workspace. You can see this configuration in your Syslog machine under 
-1. Click **Press here to open the configuration blade**.
-1. Select **Data** and then **Syslog**.
-   - Make sure each facility that you're sending by Syslog is in the table. For each facility, you are going to monitor, set a severity. Click **Apply**.
-1. In your Syslog machine, make sure you're sending those facilities. 
+> [!IMPORTANT]
+> Anomalous SSH login detection is currently in public preview.
+> This feature is provided without a service level agreement, and it's not recommended for production workloads.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-1. To use the relevant schema in Log Analytics for the Syslog logs, search for **Syslog**.
-1. You can use the Kusto function described in [Using functions in Azure Monitor log queries](../azure-monitor/log-query/functions.md) to parse your Syslog messages and then save them as a new Log Analytics function and then use the function as a new data type.
+The syslog data that you collect can be used with machine learning (ML) to identify anomalous Secure Shell (SSH) login activity. Scenarios include:
 
+- Impossible travel – when two successful login events occur from two locations that are impossible to reach within the timeframe of the two login events.
+- Unexpected location – the location from where a successful login event occurred is suspicious. For example, the location has not been seen recently.
+ 
+This detection requires a specific configuration of the Syslog data connector: 
 
+1. For step 5 in the previous procedure, make sure that both **auth** and **authpriv** are selected as facilities to monitor. Keep the default settings for the severity options, so that they are all selected. For example:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Facilities required for anomalous SSH login detection](./media/connect-syslog/facilities-ssh-detection.png)
 
+2. Allow sufficient time for syslog information to be collected. Then, navigate to **Azure Sentinel - Logs**, and copy and paste the following query:
+    
+    	Syslog |  where Facility in ("authpriv","auth")| extend c = extract( "Accepted\\s(publickey|password|keyboard-interactive/pam)\\sfor ([^\\s]+)",1,SyslogMessage)| where isnotempty(c) | count 
+    
+    Change the **Time range** if required, and select **Run**.
+    
+    If the resulting count is zero, confirm the configuration of the connector and that the monitored computers do have successful login activity for the time period you specified for your query.
+    
+    If the resulting count is greater than zero, your syslog data is suitable for anomalous SSH login detection. You enable this detection from **Analytics** >  **Rule templates** > **(Preview) Anomalous SSH Login Detection**.
 
 ## Next steps
 In this document, you learned how to connect Syslog on-premises appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: