![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AristaAwakeSecurity.svg\"width=\"75px\"height=\"75px\")
",
- "Description": "The [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/Connector_AristaAwakeSecurity_CEF.json"
- ],
+ "Description": "The [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Analytic Rules": [
"Analytic Rules/HighMatchCountsByDevice.yaml",
"Analytic Rules/HighSeverityMatchesByDevice.yaml",
@@ -19,7 +16,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\AristaAwakeSecurity",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true,
"Is1Pconnector": false
}
\ No newline at end of file
diff --git a/Solutions/AristaAwakeSecurity/Package/3.0.1.zip b/Solutions/AristaAwakeSecurity/Package/3.0.1.zip
new file mode 100644
index 00000000000..796ec0aea11
Binary files /dev/null and b/Solutions/AristaAwakeSecurity/Package/3.0.1.zip differ
diff --git a/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json b/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json
index 8a0e6b99fb5..d8f5c1b6718 100644
--- a/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json
+++ b/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AristaAwakeSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AristaAwakeSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This solution installs the Awake Security CEF connector which allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks, and notebooks that align with your existing security operations workflows. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -88,7 +64,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The workbook installed with the Awake Security Arista Networks help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
diff --git a/Solutions/AristaAwakeSecurity/Package/mainTemplate.json b/Solutions/AristaAwakeSecurity/Package/mainTemplate.json
index bb47c630b9b..8471695f2e7 100644
--- a/Solutions/AristaAwakeSecurity/Package/mainTemplate.json
+++ b/Solutions/AristaAwakeSecurity/Package/mainTemplate.json
@@ -41,38 +41,29 @@
"email": "support-security@arista.com",
"_email": "[variables('email')]",
"_solutionName": "AristaAwakeSecurity",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "arista-networks.awake-security",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "AristaAwakeSecurity",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "AristaAwakeSecurity",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.1",
+ "analyticRuleVersion1": "1.0.2",
"_analyticRulecontentId1": "90b7ac11-dd6c-4ba1-a99b-737061873859",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '90b7ac11-dd6c-4ba1-a99b-737061873859')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('90b7ac11-dd6c-4ba1-a99b-737061873859')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','90b7ac11-dd6c-4ba1-a99b-737061873859','-', '1.0.1')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','90b7ac11-dd6c-4ba1-a99b-737061873859','-', '1.0.2')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.1",
+ "analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "d5e012c2-29ba-4a02-a813-37b928aafe2d",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd5e012c2-29ba-4a02-a813-37b928aafe2d')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d5e012c2-29ba-4a02-a813-37b928aafe2d')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d5e012c2-29ba-4a02-a813-37b928aafe2d','-', '1.0.1')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d5e012c2-29ba-4a02-a813-37b928aafe2d','-', '1.0.2')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
+ "analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "dfa3ec92-bdae-410f-b675-fe1814e4d43e",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dfa3ec92-bdae-410f-b675-fe1814e4d43e')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dfa3ec92-bdae-410f-b675-fe1814e4d43e')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfa3ec92-bdae-410f-b675-fe1814e4d43e','-', '1.0.1')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfa3ec92-bdae-410f-b675-fe1814e4d43e','-', '1.0.2')))]"
},
"workbookVersion1": "1.0.0",
"workbookContentId1": "arista-networks",
@@ -84,365 +75,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "AristaAwakeSecurity data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Awake Security via Legacy Agent",
- "publisher": "Arista Networks",
- "descriptionMarkdown": "The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. ",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AwakeSecurity",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\""
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Adversarial Model Matches by Severity",
- "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize TotalActivities=sum(EventCount) by Activity,LogSeverity\n| top 5 by LogSeverity desc"
- },
- {
- "description": "Top 5 Devices by Device Risk Score",
- "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)), DeviceCustomNumber1, long(null))\r\n| summarize MaxDeviceRiskScore=max(DeviceCustomNumber1),TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\r\n| top 5 by MaxDeviceRiskScore desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AwakeSecurity)",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Perform the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port **514** at IP **192.168.0.1**:\n- Navigate to the Detection Management Skills page in the Awake UI.\n- Click + Add New Skill.\n- Set the Expression field to,\n>integrations.cef.tcp { destination: \"192.168.0.1\", port: 514, secure: false, severity: Warning }\n- Set the Title field to a descriptive name like,\n>Forward Awake Adversarial Model match result to Microsoft Sentinel.\n- Set the Reference Identifier to something easily discoverable like,\n>integrations.cef.sentinel-forwarder\n- Click Save.\n\nNote: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the CEF events collector as they are detected.\n\nFor more information, refer to the **Adding a Security Information and Event Management Push Integration** page from the Help Documentation in the Awake UI.",
- "title": "2. Forward Awake Adversarial Model match results to a CEF collector."
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "69203ebb-3834-43bf-9cdd-2936c4e6ae79",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "solution",
- "name": "Awake Security"
- },
- "author": {
- "name": "Awake Security"
- },
- "support": {
- "tier": "developer",
- "name": "Arista - Awake Security",
- "email": "support-security@arista.com",
- "link": "https://awakesecurity.com/"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "AristaAwakeSecurity",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Arista Networks",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Arista - Awake Security",
- "email": "support-security@arista.com",
- "tier": "Partner",
- "link": "https://awakesecurity.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Awake Security via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "AristaAwakeSecurity",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Arista Networks",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Arista - Awake Security",
- "email": "support-security@arista.com",
- "tier": "Partner",
- "link": "https://awakesecurity.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Awake Security via Legacy Agent",
- "publisher": "Arista Networks",
- "descriptionMarkdown": "The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. ",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AwakeSecurity",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AwakeSecurity)",
- "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Adversarial Model Matches by Severity",
- "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize TotalActivities=sum(EventCount) by Activity,LogSeverity\n| top 5 by LogSeverity desc"
- },
- {
- "description": "Top 5 Devices by Device Risk Score",
- "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)), DeviceCustomNumber1, long(null))\r\n| summarize MaxDeviceRiskScore=max(DeviceCustomNumber1),TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\r\n| top 5 by MaxDeviceRiskScore desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Perform the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port **514** at IP **192.168.0.1**:\n- Navigate to the Detection Management Skills page in the Awake UI.\n- Click + Add New Skill.\n- Set the Expression field to,\n>integrations.cef.tcp { destination: \"192.168.0.1\", port: 514, secure: false, severity: Warning }\n- Set the Title field to a descriptive name like,\n>Forward Awake Adversarial Model match result to Microsoft Sentinel.\n- Set the Reference Identifier to something easily discoverable like,\n>integrations.cef.sentinel-forwarder\n- Click Save.\n\nNote: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the CEF events collector as they are detected.\n\nFor more information, refer to the **Adding a Security Information and Event Management Push Integration** page from the Help Documentation in the Awake UI.",
- "title": "2. Forward Awake Adversarial Model match results to a CEF collector."
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -452,7 +84,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HighMatchCountsByDevice_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "HighMatchCountsByDevice_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -479,12 +111,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "AristaAwakeSecurity",
- "dataTypes": [
- "CommonSecurityLog (AwakeSecurity)"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -496,8 +122,8 @@
{
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "SourceHostName"
+ "columnName": "SourceHostName",
+ "identifier": "HostName"
}
],
"entityType": "Host"
@@ -505,8 +131,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIPs"
+ "columnName": "SourceIPs",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -516,32 +142,32 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "Matches_Max_Severity": "MaxSeverity",
- "Device": "SourceHostName",
+ "Matches_ASP_URLs": "ASPMatchURLs",
"Matches_Dest_IPs": "DestinationIPs",
- "Matched_Models": "Models",
"Matches_Count": "ModelMatchCount",
- "Matches_ASP_URLs": "ASPMatchURLs"
+ "Device": "SourceHostName",
+ "Matches_Max_Severity": "MaxSeverity",
+ "Matched_Models": "Models"
},
"alertDetailsOverride": {
- "alertSeverityColumnName": "SeverityName",
"alertDescriptionFormat": "The following Awake model(s):\n\n{{Models}}\n\nmatched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:\n\n{{DestinationIPs}}",
- "alertDisplayNameFormat": "Awake Security - High Model Match Counts On Device {{SourceHostName}}"
+ "alertDisplayNameFormat": "Awake Security - High Model Match Counts On Device {{SourceHostName}}",
+ "alertSeverityColumnName": "SeverityName"
},
"incidentConfiguration": {
- "createIncident": true,
"groupingConfiguration": {
- "reopenClosedIncident": true,
+ "enabled": true,
"lookbackDuration": "3d",
+ "groupByEntities": [
+ "Host"
+ ],
"matchingMethod": "Selected",
- "enabled": true,
"groupByCustomDetails": [
"Device"
],
- "groupByEntities": [
- "Host"
- ]
- }
+ "reopenClosedIncident": true
+ },
+ "createIncident": true
}
}
},
@@ -596,7 +222,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HighSeverityMatchesByDevice_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "HighSeverityMatchesByDevice_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -623,12 +249,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "AristaAwakeSecurity",
- "dataTypes": [
- "CommonSecurityLog (AwakeSecurity)"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -640,8 +260,8 @@
{
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "SourceHostName"
+ "columnName": "SourceHostName",
+ "identifier": "HostName"
}
],
"entityType": "Host"
@@ -649,8 +269,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIPs"
+ "columnName": "SourceIPs",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -660,32 +280,32 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "Matches_Max_Severity": "MaxSeverity",
- "Device": "SourceHostName",
+ "Matches_ASP_URLs": "ASPMatchURLs",
"Matches_Dest_IPs": "DestinationIPs",
- "Matched_Models": "Models",
"Matches_Count": "ModelMatchCount",
- "Matches_ASP_URLs": "ASPMatchURLs"
+ "Device": "SourceHostName",
+ "Matches_Max_Severity": "MaxSeverity",
+ "Matched_Models": "Models"
},
"alertDetailsOverride": {
- "alertSeverityColumnName": "MaxSeverity",
"alertDescriptionFormat": "Device {{SourceHostName}} matched the following high-severity Awake model(s):\n\n{{Models}}\n\nThe destination IPs associated with these matches were:\n\n{{DestinationIPs}}\n",
- "alertDisplayNameFormat": "Awake Security - High Severity Matches On Device {{SourceHostName}}"
+ "alertDisplayNameFormat": "Awake Security - High Severity Matches On Device {{SourceHostName}}",
+ "alertSeverityColumnName": "MaxSeverity"
},
"incidentConfiguration": {
- "createIncident": true,
"groupingConfiguration": {
- "reopenClosedIncident": true,
+ "enabled": true,
"lookbackDuration": "3d",
+ "groupByEntities": [
+ "Host"
+ ],
"matchingMethod": "Selected",
- "enabled": true,
"groupByCustomDetails": [
"Device"
],
- "groupByEntities": [
- "Host"
- ]
- }
+ "reopenClosedIncident": true
+ },
+ "createIncident": true
}
}
},
@@ -740,7 +360,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ModelMatchesWithMultipleDestinationsByDevice_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ModelMatchesWithMultipleDestinationsByDevice_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -767,12 +387,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "AristaAwakeSecurity",
- "dataTypes": [
- "CommonSecurityLog (AwakeSecurity)"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -784,8 +398,8 @@
{
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "SourceHostName"
+ "columnName": "SourceHostName",
+ "identifier": "HostName"
}
],
"entityType": "Host"
@@ -793,8 +407,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIPs"
+ "columnName": "SourceIPs",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -804,31 +418,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "Matches_Max_Severity": "MaxSeverity",
- "Device": "SourceHostName",
+ "Matches_ASP_URLs": "ASPMatchURLs",
"Matches_Dest_IPs": "DestinationIPs",
- "Matched_Models": "Models",
"Matches_Count": "ModelMatchCount",
- "Matches_ASP_URLs": "ASPMatchURLs"
+ "Device": "SourceHostName",
+ "Matches_Max_Severity": "MaxSeverity",
+ "Matched_Models": "Models"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Device {{SourceHostName}} communicated with multiple possibly malicious destinations. The destination IPs were:\n\n{{DestinationIPs}}\n\nThe associated with Awake model(s) were:\n\n{{Models}}\n",
"alertDisplayNameFormat": "Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}"
},
"incidentConfiguration": {
- "createIncident": true,
"groupingConfiguration": {
- "reopenClosedIncident": true,
+ "enabled": true,
"lookbackDuration": "3d",
+ "groupByEntities": [
+ "Host"
+ ],
"matchingMethod": "Selected",
- "enabled": true,
"groupByCustomDetails": [
"Device"
],
- "groupByEntities": [
- "Host"
- ]
- }
+ "reopenClosedIncident": true
+ },
+ "createIncident": true
}
}
},
@@ -883,7 +497,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AristaAwakeSecurityWorkbook Workbook with template version 3.0.0",
+ "description": "AristaAwakeSecurityWorkbook Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -971,12 +585,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "AristaAwakeSecurity",
"publisherDisplayName": "Arista - Awake Security",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Awake Security Arista Networks solution for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Awake Security Arista Networks solution for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nWorkbooks: 1, Analytic Rules: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1000,11 +614,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/AristaAwakeSecurity/ReleaseNotes.md b/Solutions/AristaAwakeSecurity/ReleaseNotes.md index 0e86091779a..21180f026e0 100644 --- a/Solutions/AristaAwakeSecurity/ReleaseNotes.md +++ b/Solutions/AristaAwakeSecurity/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------| +| 3.0.1 | 03-01-2025 | Removed Deprecated **Data connector** | | 3.0.0 | 09-07-2024 | Deprecating data connectors. | diff --git a/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml b/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml index c999b916d40..54bc8395551 100644 --- a/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml +++ b/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml @@ -4,9 +4,6 @@ description: 'Identifies ransomware attacks detected by the Ransomware Protectio kind: Scheduled severity: High requiredDataConnectors: - - connectorId: NasuniEdgeAppliance - datatypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -50,4 +47,4 @@ entityMappings: columnName: pattern suppressionDuration: 5h suppressionEnabled: false -version: 1.0.2 \ No newline at end of file +version: 1.0.3 \ No newline at end of file diff --git a/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml b/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml index f8f1b03f330..5829b44d92e 100644 --- a/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml +++ b/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml @@ -4,9 +4,6 @@ description: 'Identifies malicious clients blocked by the Ransomware Protection kind: Scheduled severity: High requiredDataConnectors: - - connectorId: NasuniEdgeAppliance - datatypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -47,4 +44,4 @@ entityMappings: columnName: SrcIpAddr suppressionDuration: 5h suppressionEnabled: false -version: 1.0.2 \ No newline at end of file +version: 1.0.3 \ No newline at end of file diff --git a/Solutions/Nasuni/Data/Solution_Nasuni.json b/Solutions/Nasuni/Data/Solution_Nasuni.json index 60a20dceba6..db0105f1161 100644 --- a/Solutions/Nasuni/Data/Solution_Nasuni.json +++ b/Solutions/Nasuni/Data/Solution_Nasuni.json @@ -2,7 +2,7 @@ "Name": "Nasuni", "Author": "Nasuni - support@nasuni.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Nasuni/Data%20Connectors/Logo/Nasuni.svg\"){kind=logo}
",
- "Description": "The [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Analytic Rules": [
"/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml",
"/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml"
@@ -10,14 +10,11 @@
"Hunting Queries": [
"/Nasuni/Hunting Queries/FileDeleteEvents.yaml"
],
- "Data Connectors": [
- "/Nasuni/Data Connectors/Nasuni Data Connector.json"
- ],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml b/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml
index 589887be5c5..b5a9ddadbf3 100644
--- a/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml
+++ b/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml
@@ -3,9 +3,6 @@ name: Nasuni File Delete Activity
description: |
'This query looks for file delete audit events generated by a Nasuni Edge Appliance.'
requiredDataConnectors:
- - connectorId: NasuniEdgeAppliance
- dataTypes:
- - Syslog
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -71,4 +68,4 @@ entityMappings:
columnName: filename
- identifier: Directory
columnName: directorypath
-version: 1.0.1
\ No newline at end of file
+version: 1.0.2
\ No newline at end of file
diff --git a/Solutions/Nasuni/Package/3.0.3.zip b/Solutions/Nasuni/Package/3.0.3.zip
new file mode 100644
index 00000000000..efa28b713b5
Binary files /dev/null and b/Solutions/Nasuni/Package/3.0.3.zip differ
diff --git a/Solutions/Nasuni/Package/createUiDefinition.json b/Solutions/Nasuni/Package/createUiDefinition.json
index 7e1decc016d..c676d735dad 100644
--- a/Solutions/Nasuni/Package/createUiDefinition.json
+++ b/Solutions/Nasuni/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Nasuni/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Nasuni/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Nasuni. You can get Nasuni Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "analytics",
"label": "Analytics",
@@ -162,7 +138,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query looks for file delete audit events generated by a Nasuni Edge Appliance. This hunting query depends on NasuniEdgeAppliance SyslogAma data connector (Syslog Syslog Parser or Table)"
+ "text": "This query looks for file delete audit events generated by a Nasuni Edge Appliance. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
diff --git a/Solutions/Nasuni/Package/mainTemplate.json b/Solutions/Nasuni/Package/mainTemplate.json
index 4b97d08155a..cfb9927b67b 100644
--- a/Solutions/Nasuni/Package/mainTemplate.json
+++ b/Solutions/Nasuni/Package/mainTemplate.json
@@ -33,37 +33,28 @@
"email": "support@nasuni.com",
"_email": "[variables('email')]",
"_solutionName": "Nasuni",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "nasunicorporation.nasuni-sentinel",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "0c96a5a2-d60d-427d-8399-8df7fe8e6536",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0c96a5a2-d60d-427d-8399-8df7fe8e6536')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0c96a5a2-d60d-427d-8399-8df7fe8e6536')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0c96a5a2-d60d-427d-8399-8df7fe8e6536','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0c96a5a2-d60d-427d-8399-8df7fe8e6536','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "6c8770fb-c854-403e-a64d-0293ba344d5f",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c8770fb-c854-403e-a64d-0293ba344d5f')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c8770fb-c854-403e-a64d-0293ba344d5f')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c8770fb-c854-403e-a64d-0293ba344d5f','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c8770fb-c854-403e-a64d-0293ba344d5f','-', '1.0.3')))]"
},
"huntingQueryObject1": {
- "huntingQueryVersion1": "1.0.1",
+ "huntingQueryVersion1": "1.0.2",
"_huntingQuerycontentId1": "64a3477e-d06f-4491-86a5-6f99702e267f",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('64a3477e-d06f-4491-86a5-6f99702e267f')))]"
},
- "uiConfigId1": "NasuniEdgeAppliance",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "NasuniEdgeAppliance",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -76,7 +67,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RansomwareClientBlocked_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "RansomwareClientBlocked_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -104,16 +95,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ],
- "connectorId": "NasuniEdgeAppliance"
- },
- {
- "datatypes": [
- "Syslog"
- ],
- "connectorId": "SyslogAma"
+ ]
}
],
"tactics": [
@@ -124,13 +109,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
],
"eventGroupingSettings": {
@@ -140,17 +125,17 @@
"VolumeName": "volume_name"
},
"alertDetailsOverride": {
- "alertnameFormat": "Nasuni: Ransomware Client Blocked",
- "alertDescriptionFormat": "Nasuni has blocked a client involved in a ransomware attack from accessing a Nasuni Edge Appliance at {{TimeGenerated}}"
+ "alertDescriptionFormat": "Nasuni has blocked a client involved in a ransomware attack from accessing a Nasuni Edge Appliance at {{TimeGenerated}}",
+ "alertnameFormat": "Nasuni: Ransomware Client Blocked"
},
"incidentConfiguration": {
- "createIncident": true,
"groupingConfiguration": {
- "reopenClosedIncident": false,
"enabled": false,
"matchingMethod": "AllEntities",
- "lookbackDuration": "PT5H"
- }
+ "lookbackDuration": "PT5H",
+ "reopenClosedIncident": false
+ },
+ "createIncident": true
}
}
},
@@ -204,7 +189,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RansomwareAttackDetected_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "RansomwareAttackDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -232,16 +217,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ],
- "connectorId": "NasuniEdgeAppliance"
- },
- {
- "datatypes": [
- "Syslog"
- ],
- "connectorId": "SyslogAma"
+ ]
}
],
"tactics": [
@@ -252,13 +231,13 @@
],
"entityMappings": [
{
- "entityType": "Malware",
"fieldMappings": [
{
"columnName": "pattern",
"identifier": "Name"
}
- ]
+ ],
+ "entityType": "Malware"
}
],
"eventGroupingSettings": {
@@ -268,23 +247,23 @@
"VolumeName": "volume_name"
},
"alertDetailsOverride": {
+ "alertDescriptionFormat": "Ransomware attack detected by Nasuni at {{TimeGenerated}}.",
"alertDynamicProperties": [
{
- "alertProperty": "RemediationSteps",
- "value": "SyslogMessage"
+ "value": "SyslogMessage",
+ "alertProperty": "RemediationSteps"
}
],
- "alertnameFormat": "Nasuni: Ransomware Attack Detected",
- "alertDescriptionFormat": "Ransomware attack detected by Nasuni at {{TimeGenerated}}."
+ "alertnameFormat": "Nasuni: Ransomware Attack Detected"
},
"incidentConfiguration": {
- "createIncident": true,
"groupingConfiguration": {
- "reopenClosedIncident": false,
"enabled": false,
"matchingMethod": "AllEntities",
- "lookbackDuration": "PT5H"
- }
+ "lookbackDuration": "PT5H",
+ "reopenClosedIncident": false
+ },
+ "createIncident": true
}
}
},
@@ -338,7 +317,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileDeleteEvents_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "FileDeleteEvents_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -408,342 +387,9 @@
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Nasuni File Delete Activity",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
- "version": "1.0.1"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Nasuni data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Nasuni Edge Appliance",
- "publisher": "Nasuni",
- "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.",
- "additionalRequirementBanner": "None",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "Nasuni",
- "baseQuery": "Nasuni"
- }
- ],
- "sampleQueries": [
- {
- "description": "Last 1000 generated events",
- "query": "Syslog\n | top 1000 by TimeGenerated"
- },
- {
- "description": "All events by facility except for cron",
- "query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\""
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog",
- "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ]
- },
- "customers": [
- {
- "name": "Nasuni Edge Appliances",
- "description": "must be configured to export events via Syslog"
- }
- ],
- "instructionSteps": [
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.",
- "title": "3. Configure Nasuni Edge Appliance settings"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Nasuni",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Nasuni",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Nasuni",
- "tier": "Partner",
- "link": "https://github.com/nasuni-labs/Azure-Sentinel"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Nasuni Edge Appliance",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Nasuni",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Nasuni",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Nasuni",
- "tier": "Partner",
- "link": "https://github.com/nasuni-labs/Azure-Sentinel"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Nasuni Edge Appliance",
- "publisher": "Nasuni",
- "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "Nasuni",
- "baseQuery": "Nasuni"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog",
- "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Last 1000 generated events",
- "query": "Syslog\n | top 1000 by TimeGenerated"
- },
- {
- "description": "All events by facility except for cron",
- "query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\""
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.",
- "title": "3. Configure Nasuni Edge Appliance settings"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "None"
- }
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+ "version": "1.0.2"
}
},
{
@@ -751,12 +397,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Nasuni",
"publisherDisplayName": "Nasuni",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Nasuni solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Analytic Rules: 2, Hunting Queries: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Nasuni solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nAnalytic Rules: 2, Hunting Queries: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -794,11 +440,6 @@ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-syslog" diff --git a/Solutions/Nasuni/ReleaseNotes.md b/Solutions/Nasuni/ReleaseNotes.md index c009cd81672..a5f610794e8 100644 --- a/Solutions/Nasuni/ReleaseNotes.md +++ b/Solutions/Nasuni/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.3 | 03-01-2025 | Removed Deprecated **Data connector** | | 3.0.2 | 18-07-2024 | Deprecating data connectors | | 3.0.1 | 02-08-2023 | Solution Id and Tier Updated | | 3.0.0 | 14-07-2023 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json b/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json index 5fab94a8f3d..9fed9bbffbb 100644 --- a/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json +++ b/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json @@ -2,10 +2,7 @@ "Name": "Trend Micro Deep Security", "Author": "Trend Micro", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\"){kind=logo}
",
- "Description": "The [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/TrendMicroDeepSecurity.json"
- ],
+ "Description": "The [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/TrendMicroDeepSecurityAttackActivity.json",
"Workbooks/TrendMicroDeepSecurityOverview.json"
@@ -17,7 +14,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Deep Security",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Trend Micro Deep Security/Package/3.0.1.zip b/Solutions/Trend Micro Deep Security/Package/3.0.1.zip
new file mode 100644
index 00000000000..281cc83b084
Binary files /dev/null and b/Solutions/Trend Micro Deep Security/Package/3.0.1.zip differ
diff --git a/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json b/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json
index 93a9f899b81..dcebb161fff 100644
--- a/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json
+++ b/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Trend Micro Deep Security. You can get Trend Micro Deep Security CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Trend Micro Deep Security/Package/mainTemplate.json b/Solutions/Trend Micro Deep Security/Package/mainTemplate.json
index 199c986e450..b047705a7c5 100644
--- a/Solutions/Trend Micro Deep Security/Package/mainTemplate.json
+++ b/Solutions/Trend Micro Deep Security/Package/mainTemplate.json
@@ -47,18 +47,9 @@
},
"variables": {
"_solutionName": "Trend Micro Deep Security",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "trendmicro.trend_micro_deep_security_mss",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "TrendMicro",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "TrendMicro",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "TrendMicroDeepSecurityAttackActivityWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -82,393 +73,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Trend Micro Deep Security data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Trend Micro Deep Security via Legacy",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The Trend Micro Deep Security connector allows you to easily connect your Deep Security logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"TrendMicroDeepSecurity\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/TrendMicroDeepSecurityFunction)",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroDeepSecurity",
- "baseQuery": "\nTrendMicroDeepSecurity\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "Intrusion Prevention Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Intrusion Prevention\"\n | sort by TimeGenerated"
- },
- {
- "description": "Integrity Monitoring Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Integrity Monitoring\"\n | sort by TimeGenerated"
- },
- {
- "description": "Firewall Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Firewall Events\"\n | sort by TimeGenerated"
- },
- {
- "description": "Log Inspection Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Log Inspection\"\n | sort by TimeGenerated"
- },
- {
- "description": "Anti-Malware Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Anti-Malware\"\n | sort by TimeGenerated"
- },
- {
- "description": "Web Reputation Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Web Reputation\"\n | sort by TimeGenerated"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nTrendMicroDeepSecurity\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroDeepSecurity)",
- "lastDataReceivedQuery": "\nTrendMicroDeepSecurity\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine's IP address.\n2. Forward Trend Micro Deep Security events to the Syslog agent.\n3. Define a new Syslog Configuration that uses the CEF format by referencing [this knowledge article](https://aka.ms/Sentinel-trendmicro-kblink) for additional information.\n4. Configure the Deep Security Manager to use this new configuration to forward events to the Syslog agent using [these instructions](https://aka.ms/Sentinel-trendMicro-connectorInstructions).\n5. Make sure to save the [TrendMicroDeepSecurity](https://aka.ms/TrendMicroDeepSecurityFunction) function so that it queries the Trend Micro Deep Security data properly.",
- "title": "2. Forward Trend Micro Deep Security logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "abf0937a-e5be-4587-a805-fd5dbcffd6cd",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Trend Micro"
- },
- "support": {
- "name": "Trend Micro",
- "link": "https://success.trendmicro.com/technical-support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro Deep Security",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Trend Micro"
- },
- "support": {
- "name": "Trend Micro",
- "tier": "Partner",
- "link": "https://success.trendmicro.com/dcx/s/?language=en_US"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Trend Micro Deep Security via Legacy",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro Deep Security",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Trend Micro"
- },
- "support": {
- "name": "Trend Micro",
- "tier": "Partner",
- "link": "https://success.trendmicro.com/dcx/s/?language=en_US"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Trend Micro Deep Security via Legacy",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The Trend Micro Deep Security connector allows you to easily connect your Deep Security logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroDeepSecurity",
- "baseQuery": "\nTrendMicroDeepSecurity\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroDeepSecurity)",
- "lastDataReceivedQuery": "\nTrendMicroDeepSecurity\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nTrendMicroDeepSecurity\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Intrusion Prevention Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Intrusion Prevention\"\n | sort by TimeGenerated"
- },
- {
- "description": "Integrity Monitoring Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Integrity Monitoring\"\n | sort by TimeGenerated"
- },
- {
- "description": "Firewall Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Firewall Events\"\n | sort by TimeGenerated"
- },
- {
- "description": "Log Inspection Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Log Inspection\"\n | sort by TimeGenerated"
- },
- {
- "description": "Anti-Malware Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Anti-Malware\"\n | sort by TimeGenerated"
- },
- {
- "description": "Web Reputation Events",
- "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Web Reputation\"\n | sort by TimeGenerated"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine's IP address.\n2. Forward Trend Micro Deep Security events to the Syslog agent.\n3. Define a new Syslog Configuration that uses the CEF format by referencing [this knowledge article](https://aka.ms/Sentinel-trendmicro-kblink) for additional information.\n4. Configure the Deep Security Manager to use this new configuration to forward events to the Syslog agent using [these instructions](https://aka.ms/Sentinel-trendMicro-connectorInstructions).\n5. Make sure to save the [TrendMicroDeepSecurity](https://aka.ms/TrendMicroDeepSecurityFunction) function so that it queries the Trend Micro Deep Security data properly.",
- "title": "2. Forward Trend Micro Deep Security logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"TrendMicroDeepSecurity\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/TrendMicroDeepSecurityFunction)"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -478,7 +82,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroDeepSecurityAttackActivity Workbook with template version 3.0.0",
+ "description": "TrendMicroDeepSecurityAttackActivity Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -568,7 +172,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroDeepSecurityOverview Workbook with template version 3.0.0",
+ "description": "TrendMicroDeepSecurityOverview Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -658,7 +262,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroDeepSecurity Data Parser with template version 3.0.0",
+ "description": "TrendMicroDeepSecurity Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -782,12 +386,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro Deep Security",
"publisherDisplayName": "Trend Micro",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Deep Security solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.
\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Deep Security solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -809,11 +413,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Trend Micro Deep Security/ReleaseNotes.md b/Solutions/Trend Micro Deep Security/ReleaseNotes.md index 4cc5b799798..ff09f0b1e8d 100644 --- a/Solutions/Trend Micro Deep Security/ReleaseNotes.md +++ b/Solutions/Trend Micro Deep Security/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.1 | 03-01-2025 | Removed Deprecated **Data connector** | | 3.0.0 | 27-06-2024 | Deprecating data connectors | | 2.0.1 | 11-11-2022 | Updated OfferId | | 2.0.0 | 20-07-2022 | Initial Package | \ No newline at end of file