Merge pull request #99835 from rkarlin/sentinel-updates-connectors

updated CEF for new breakdown, offboarding update, links to workbooks

Author: ShannonLeavitt

articles/sentinel/TOC.yml

@@ -32,70 +32,78 @@
   - name: Connect data sources
     href: connect-data-sources.md
     items:
-    - name: Connect Microsoft services
+    - name: Connect service-to-service
       items:
-      - name: Connect Azure AD
+      - name: AWS
+        href: connect-aws.md
+      - name: Azure AD
         href: connect-azure-active-directory.md
-      - name: Connect Office 365
+      - name: Office 365
         href: connect-office-365.md
-      - name: Connect Cloud App Security
+      - name: Cloud App Security
         href: connect-cloud-app-security.md
-      - name: Connect Azure Activity Log
+      - name: Azure Activity Log
         href: connect-azure-activity.md
-      - name: Connect Azure AD Identity Protection
+      - name: Azure AD Identity Protection
         href: connect-azure-ad-identity-protection.md
-      - name: Connect Azure Information Protection
+      - name: Azure Information Protection
         href: connect-azure-information-protection.md
-      - name: Connect Microsoft Defender ATP
+      - name: Microsoft Defender ATP
         href: connect-microsoft-defender-advanced-threat-protection.md
-      - name: Connect Azure ATP
+      - name: Azure ATP
         href: connect-azure-atp.md
-      - name: Connect Azure Security Center
+      - name: Azure Security Center
         href: connect-azure-security-center.md
-      - name: Connect domain name server
+      - name: Domain name server
         href: connect-dns.md
-      - name: Connect Microsoft web application firewall
+      - name: Microsoft web application firewall
         href: connect-microsoft-waf.md
-      - name: Connect Windows firewall
+      - name: Windows firewall
         href: connect-windows-firewall.md
-      - name: Connect Windows security events
+      - name: Windows security events
         href: connect-windows-security-events.md  
     - name: Connect external solutions
       items:
-      - name: Connect generic CEF
-        href: connect-common-event-format.md
-      - name: Connect AWS
-        href: connect-aws.md
-      - name: Connect Barracuda
+      - name: Barracuda
         href: connect-barracuda.md
-      - name: Connect Check Point
-        href: connect-checkpoint.md
-      - name: Connect Palo Alto Networks
-        href: connect-paloalto.md
-      - name: Connect Fortinet
-        href: connect-fortinet.md
-      - name: Connect F5 
-        href: connect-f5.md  
-      - name: Connect F5 BIG-IP
+      - name: F5 BIG-IP
         href: connect-f5-big-ip.md
-      - name: Connect Syslog
+      - name: Syslog
         href: connect-syslog.md
-      - name: Connect Symantec ICDX
+      - name: Symantec ICDX
         href: connect-symantec.md
-      - name: Connect Cisco
-        href: connect-cisco.md
-      - name: Connect Barracuda CloudGen Firewall
+      - name: Barracuda CloudGen Firewall
         href: connect-barracuda-cloudgen-firewall.md
-      - name: Connect Citrix Analytics (Security)
+      - name: Citrix Analytics (Security)
         href: connect-citrix-analytics.md
-      - name: Connect ExtraHop Reveal(x)
-        href: connect-extrahop.md
-      - name: One Identity Safeguard
-        href: connect-one-identity.md
-      - name: Trend Micro Deep Security
-        href: connect-trend-micro.md
-      - name: Connect Zscaler
-        href: connect-zscaler.md   
+      - name: CEF-based solutions
+        href: connect-common-event-format.md
+        items:  
+        - name: STEP 1 Deploy the agent
+          href: connect-cef-agent.md
+        - name: STEP 2 Configure your security solution
+          href: connect-cef-solution-config.md
+          items:  
+          - name: Check Point
+            href: connect-checkpoint.md
+          - name: Cisco
+            href: connect-cisco.md
+          - name: ExtraHop Reveal(x)
+            href: connect-extrahop.md
+          - name: F5 
+            href: connect-f5.md  
+          - name: Fortinet
+            href: connect-fortinet.md
+          - name: One Identity Safeguard
+            href: connect-one-identity.md
+          - name: Palo Alto Networks
+            href: connect-paloalto.md
+          - name: Trend Micro Deep Security
+            href: connect-trend-micro.md
+          - name: Zscaler
+            href: connect-zscaler.md   
+        - name: STEP 3 Validate connectivity 
+          href: connect-cef-verify.md
     - name: Connect threat intelligence
       href: connect-threat-intelligence.md  
     - name: Connect Azure Stack VMs

articles/sentinel/connect-aws.md

@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 09/23/2019
+ms.date: 12/30/2019
 ms.author: rkarlin
 
 ---
@@ -80,4 +80,5 @@ You must have write permission on the Azure Sentinel workspace.
 In this document, you learned how to connect AWS CloudTrail to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
 - Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
 - Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
 

articles/sentinel/connect-azure-atp.md

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 11/17/2019
+ms.date: 12/30/2019
 ms.author: rkarlin
 
 ---

articles/sentinel/connect-barracuda-cloudgen-firewall.md

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 11/04/2019
+ms.date: 12/30/2019
 ms.author: cabailey
 
 ---
@@ -43,4 +43,6 @@ The Barracuda CloudGen Firewall (CGFW) connector lets you easily connect your Ba
 In this document, you learned how to connect Barracuda CloudGen Firewall to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
 - Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
 - Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
+
 

articles/sentinel/connect-barracuda.md

@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 10/13/2019
+ms.date: 12/30/2019
 ms.author: rkarlin
 
 ---
@@ -46,4 +46,6 @@ It may take upwards of 20 minutes until your logs start to appear in Log Analyti
 In this document, you learned how to connect Barracuda appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
 - Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
 - Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
+
 

articles/sentinel/connect-cef-agent.md

@@ -0,0 +1,48 @@
+---
+title: Deploy the agent to connect CEF data to Azure Sentinel Preview| Microsoft Docs
+description: Learn how to deploy the agent to connect CEF data to Azure Sentinel.
+services: sentinel
+documentationcenter: na
+author: rkarlin
+manager: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 11/26/2019
+ms.author: rkarlin
+
+---
+# Step 1: Deploy the agent
+
+
+In this step, you need to select the Linux machine that will act as a proxy between Azure Sentinel and your security solution. You will have to run a script on the proxy machine that:
+- Installs the Log Analytics agent and configures it as needed to listen for Syslog messages.
+- Configures the Syslog daemon to listen to Syslog messages using TCP port 514 and then forwards only the CEF messages to the Log Analytics agent using TCP port 25226.
+- Sets the Syslog agent to collect the data and send it securely to Azure Sentinel, where it is parsed and enriched.
+ 
+## Deploy the agent
+ 
+1. In the Azure Sentinel portal, click **Data connectors** and select **Common Event Format (CEF)** and then **Open connector page**. 
+
+1. Under **Install and configure the Syslog agent**, select your machine type, either Azure, other cloud, or on-premises. 
+   > [!NOTE]
+   > Because the script in the next step installs the Log Analytics agent and connects the machine to your Azure Sentinel workspace, make sure this machine is not connected to any other workspace.
+1. You must have elevated permissions (sudo) on your machine. Make sure that you have Python on your machine using the following command: `python –version`
+
+1. Run the following script on your proxy machine.
+   `sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py [WorkspaceID] [Workspace Primary Key]`
+1. While the script is running, check to make sure you don't get any error or warning messages.
+
+Continue to [STEP 2: Configure your security solution to forward CEF messages](connect-cef-solution-config.md) .
+
+
+## Next steps
+In this document, you learned how to connect CEF appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats.md).
+

articles/sentinel/connect-cef-solution-config.md

@@ -0,0 +1,59 @@
+---
+title: Configure your security solution to connect CEF data to Azure Sentinel Preview| Microsoft Docs
+description: Learn how to configure your security solution to connect CEF data to Azure Sentinel.
+services: sentinel
+documentationcenter: na
+author: rkarlin
+manager: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 12/30/2019
+ms.author: rkarlin
+
+---
+# STEP 2: Configure your security solution to send CEF messages
+
+In this step you will perform the necessary configuration changes on your security solution itself to send logs to the CEF agent.
+
+## Configure a solution with a connector
+
+If your security solution already has an existing connector, use the connector-specific instructions as follows:
+
+- [Check Point](connect-checkpoint.md)
+- [Cisco](connect-cisco.md)
+- [ExtraHop Reveal(x)](connect-extrahop.md)
+- [F5 ](connect-f5.md)  
+- [Fortinet](connect-fortinet.md)
+- [One Identity Safeguard](connect-one-identity.md)
+- [Palo Alto Networks](connect-paloalto.md)
+- [Trend Micro Deep Security](connect-trend-micro.md)
+- [Zscaler](connect-zscaler.md)   
+
+## Configure any other solution
+If a connector does not exist for your specific security solution, use the following generic instructions for forwarding logs to the CEF agent.
+
+1. Go to the specific configuration article for steps on how to configure your solution to send CEF messages. If your solution is not listed, on the appliance you need to set these values so that the appliance sends the necessary logs in the necessary format to the Azure Sentinel Syslog agent, based on the Log Analytics agent. You can modify these parameters in your appliance, as long as you also modify them in the Syslog daemon on the Azure Sentinel agent.
+    - Protocol = TCP
+    - Port = 514
+    - Format = CEF
+    - IP address - make sure to send the CEF messages to the IP address of the virtual machine you dedicated for this purpose.
+
+   > [!NOTE]
+   > This solution supports Syslog RFC 3164 or RFC 5424.
+
+
+1. To use the relevant schema in Log Analytics for the CEF events, search for `CommonSecurityLog`.
+
+1. Continue to STEP 3: [validate connectivity](connect-cef-verify.md).
+
+## Next steps
+In this document, you learned how to connect CEF appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats.md).
+

articles/sentinel/connect-cef-verify.md

@@ -0,0 +1,41 @@
+---
+title: Validate connectivity to Azure Sentinel| Microsoft Docs
+description: Validate connectivity of your security solution to make sure CEF messages are being forwarded to Azure Sentinel.
+services: sentinel
+documentationcenter: na
+author: rkarlin
+manager: rkarlin
+editor: ''
+
+ms.service: azure-sentinel
+ms.subservice: azure-sentinel
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 12/30/2019
+ms.author: rkarlin
+
+---
+# STEP 3: Validate connectivity
+
+
+
+After you deployed the agent and configured your security solution to forward CEF messages, use this article to understand how to verify connectivity between Azure Sentinel and your security solution. 
+
+## How to validate connectivity
+
+1. Open Log Analytics to make sure that logs are received using the CommonSecurityLog schema.<br> It may take upwards of 20 minutes until your logs start to appear in Log Analytics. 
+
+1. Before you run the script, we recommend that you send messages from your security solution to make sure they are being forwarded to the Syslog proxy machine you configured. 
+1. You must have elevated permissions (sudo) on your machine. Make sure that you have Python on your machine using the following command: `python –version`
+1. Run the following script to check connectivity between the agent, Azure Sentinel, and your security solution. It checks that the daemon forwarding is properly configured, listens on the correct ports, and that nothing is blocking communication between the daemon and the Log Analytics agent. The script also sends mock messages 'TestCommonEventFormat' to check end-to-end connectivity. <br>
+ `sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py [WorkspaceID]`
+
+
+## Next steps
+In this document, you learned how to connect CEF appliances to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats.md).
+- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
+