![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\"){kind=logo}
",
- "Description": "The [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
+ "Description": "The [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**",
"Workbooks": [
"Workbooks/InfobloxCDCB1TDWorkbook.json"
],
@@ -16,10 +16,6 @@
"Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml",
"Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml"
],
- "Data Connectors": [
- "Data Connectors/InfobloxCloudDataConnector.json",
- "Data Connectors/template_InfobloxCloudDataConnectorAMA.json"
- ],
"Parsers": [
"Parsers/InfobloxCDC.yaml"
],
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/3.0.5.zip b/Solutions/Infoblox Cloud Data Connector/Package/3.0.5.zip
new file mode 100644
index 00000000000..e6a5b09e64a
Binary files /dev/null and b/Solutions/Infoblox Cloud Data Connector/Package/3.0.5.zip differ
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json b/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
index 056630bce48..6636b67d52e 100644
--- a/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
+++ b/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json b/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
index 0ab555a6b90..b37939cf262 100644
--- a/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
+++ b/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Infoblox Cloud Data Connector",
- "_solutionVersion": "3.0.4",
+ "_solutionVersion": "3.0.5",
"solutionId": "infoblox.infoblox-cdc-solution",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "2.0.0",
@@ -52,79 +52,61 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "8db2b374-0337-49bd-94c9-cfbf8e5d83ad",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8db2b374-0337-49bd-94c9-cfbf8e5d83ad')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8db2b374-0337-49bd-94c9-cfbf8e5d83ad')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8db2b374-0337-49bd-94c9-cfbf8e5d83ad','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8db2b374-0337-49bd-94c9-cfbf8e5d83ad','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.3",
+ "analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "dc7af829-d716-4774-9d6f-03d9aa7c27a4",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc7af829-d716-4774-9d6f-03d9aa7c27a4')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc7af829-d716-4774-9d6f-03d9aa7c27a4')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc7af829-d716-4774-9d6f-03d9aa7c27a4','-', '1.0.3')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc7af829-d716-4774-9d6f-03d9aa7c27a4','-', '1.0.4')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.2",
+ "analyticRuleVersion3": "1.0.3",
"_analyticRulecontentId3": "3822b794-fa89-4420-aad6-0e1a2307f419",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3822b794-fa89-4420-aad6-0e1a2307f419')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3822b794-fa89-4420-aad6-0e1a2307f419')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3822b794-fa89-4420-aad6-0e1a2307f419','-', '1.0.2')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3822b794-fa89-4420-aad6-0e1a2307f419','-', '1.0.3')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.3",
+ "analyticRuleVersion4": "1.0.4",
"_analyticRulecontentId4": "99278700-79ca-4b0f-b416-bf57ec699e1a",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '99278700-79ca-4b0f-b416-bf57ec699e1a')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('99278700-79ca-4b0f-b416-bf57ec699e1a')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99278700-79ca-4b0f-b416-bf57ec699e1a','-', '1.0.3')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99278700-79ca-4b0f-b416-bf57ec699e1a','-', '1.0.4')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "b2f34315-9065-488e-88d0-a171d2b0da8e",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2f34315-9065-488e-88d0-a171d2b0da8e')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2f34315-9065-488e-88d0-a171d2b0da8e')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2f34315-9065-488e-88d0-a171d2b0da8e','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2f34315-9065-488e-88d0-a171d2b0da8e','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.2",
+ "analyticRuleVersion6": "1.0.3",
"_analyticRulecontentId6": "5b0864a9-4577-4087-b9fa-de3e14a8a999",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b0864a9-4577-4087-b9fa-de3e14a8a999')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b0864a9-4577-4087-b9fa-de3e14a8a999')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b0864a9-4577-4087-b9fa-de3e14a8a999','-', '1.0.2')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b0864a9-4577-4087-b9fa-de3e14a8a999','-', '1.0.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.3",
+ "analyticRuleVersion7": "1.0.4",
"_analyticRulecontentId7": "568730be-b39d-45e3-a392-941e00837d52",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '568730be-b39d-45e3-a392-941e00837d52')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('568730be-b39d-45e3-a392-941e00837d52')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','568730be-b39d-45e3-a392-941e00837d52','-', '1.0.3')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','568730be-b39d-45e3-a392-941e00837d52','-', '1.0.4')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.2",
+ "analyticRuleVersion8": "1.0.3",
"_analyticRulecontentId8": "28ee3c2b-eb4b-44de-a71e-e462843fea72",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28ee3c2b-eb4b-44de-a71e-e462843fea72')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28ee3c2b-eb4b-44de-a71e-e462843fea72','-', '1.0.2')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28ee3c2b-eb4b-44de-a71e-e462843fea72','-', '1.0.3')))]"
},
- "uiConfigId1": "InfobloxCloudDataConnector",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "InfobloxCloudDataConnector",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "InfobloxCloudDataConnectorAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "InfobloxCloudDataConnectorAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','Infoblox Cloud Data Connector Data Parser')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Infoblox Cloud Data Connector Data Parser')]",
@@ -234,7 +216,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InfobloxCDCB1TDWorkbook Workbook with template version 3.0.4",
+ "description": "InfobloxCDCB1TDWorkbook Workbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -290,11 +272,7 @@
"kind": "DataType"
},
{
- "contentId": "InfobloxCloudDataConnector",
- "kind": "DataConnector"
- },
- {
- "contentId": "InfobloxCloudDataConnectorAma",
+ "contentId": "CefAma",
"kind": "DataConnector"
}
]
@@ -325,7 +303,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-DataExfiltrationAttack_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-DataExfiltrationAttack_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -353,22 +331,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -380,16 +346,15 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -403,10 +368,10 @@
"identifier": "FullName",
"columnName": "SourceUserName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Malware",
"fieldMappings": [
{
"identifier": "Name",
@@ -416,27 +381,28 @@
"identifier": "Category",
"columnName": "InfobloxB1FeedName"
}
- ]
+ ],
+ "entityType": "Malware"
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"customDetails": {
- "SourceMACAddress": "SourceMACAddress",
+ "InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1Action": "InfobloxB1PolicyAction",
- "InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
- "InfobloxB1Network": "InfobloxB1Network"
+ "InfobloxB1FeedName": "InfobloxB1FeedName",
+ "SourceMACAddress": "SourceMACAddress"
},
"incidentConfiguration": {
- "createIncident": true,
"groupingConfiguration": {
- "reopenClosedIncident": true,
- "matchingMethod": "AllEntities",
"enabled": true,
- "lookbackDuration": "7d"
- }
+ "reopenClosedIncident": true,
+ "lookbackDuration": "7d",
+ "matchingMethod": "AllEntities"
+ },
+ "createIncident": true
}
}
},
@@ -490,7 +456,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -518,22 +484,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -545,16 +499,15 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -568,19 +521,19 @@
"identifier": "FullName",
"columnName": "SourceUserName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
- ]
+ ],
+ "entityType": "DNS"
},
{
- "entityType": "Malware",
"fieldMappings": [
{
"identifier": "Name",
@@ -590,18 +543,19 @@
"identifier": "Category",
"columnName": "ThreatClass"
}
- ]
+ ],
+ "entityType": "Malware"
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"customDetails": {
- "SourceMACAddress": "SourceMACAddress",
+ "InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1Action": "InfobloxB1PolicyAction",
- "InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
- "InfobloxB1Network": "InfobloxB1Network"
+ "InfobloxB1FeedName": "InfobloxB1FeedName",
+ "SourceMACAddress": "SourceMACAddress"
},
"incidentConfiguration": {
"createIncident": true
@@ -658,7 +612,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -686,22 +640,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -713,16 +655,15 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -736,7 +677,8 @@
"identifier": "FullName",
"columnName": "SourceUserName"
}
- ]
+ ],
+ "entityType": "Host"
}
],
"eventGroupingSettings": {
@@ -800,7 +742,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-ManyHighThreatLevelSingleQueryDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-ManyHighThreatLevelSingleQueryDetected_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -828,22 +770,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -855,16 +785,15 @@
],
"entityMappings": [
{
- "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
- ]
+ ],
+ "entityType": "DNS"
},
{
- "entityType": "Malware",
"fieldMappings": [
{
"identifier": "Name",
@@ -874,16 +803,17 @@
"identifier": "Category",
"columnName": "ThreatClass"
}
- ]
+ ],
+ "entityType": "Malware"
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"customDetails": {
- "InfobloxB1Network": "InfobloxB1Network",
+ "InfobloxB1PolicyName": "InfobloxB1PolicyName",
"InfobloxB1FeedName": "InfobloxB1FeedName",
- "InfobloxB1PolicyName": "InfobloxB1PolicyName"
+ "InfobloxB1Network": "InfobloxB1Network"
},
"incidentConfiguration": {
"createIncident": true
@@ -940,7 +870,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-ManyNXDOMAINDNSResponsesDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-ManyNXDOMAINDNSResponsesDetected_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -968,22 +898,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -995,16 +913,15 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -1018,7 +935,8 @@
"identifier": "FullName",
"columnName": "SourceUserName"
}
- ]
+ ],
+ "entityType": "Host"
}
],
"eventGroupingSettings": {
@@ -1082,7 +1000,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1110,34 +1028,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CEF",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1149,16 +1049,15 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -1168,16 +1067,17 @@
"identifier": "FullName",
"columnName": "SourceUserName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
- ]
+ ],
+ "entityType": "DNS"
}
],
"eventGroupingSettings": {
@@ -1241,7 +1141,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1269,28 +1169,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1302,16 +1190,15 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -1325,19 +1212,19 @@
"identifier": "FullName",
"columnName": "SourceUserName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
- ]
+ ],
+ "entityType": "DNS"
},
{
- "entityType": "Malware",
"fieldMappings": [
{
"identifier": "Name",
@@ -1347,18 +1234,19 @@
"identifier": "Category",
"columnName": "ThreatClass"
}
- ]
+ ],
+ "entityType": "Malware"
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"customDetails": {
- "SourceMACAddress": "SourceMACAddress",
+ "InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1Action": "InfobloxB1PolicyAction",
- "InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
- "InfobloxB1Network": "InfobloxB1Network"
+ "InfobloxB1FeedName": "InfobloxB1FeedName",
+ "SourceMACAddress": "SourceMACAddress"
},
"incidentConfiguration": {
"createIncident": true
@@ -1415,7 +1303,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-TI-SyslogMatchFound-URL_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Infoblox-TI-SyslogMatchFound-URL_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1443,34 +1331,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Syslog",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "Syslog"
},
{
- "connectorId": "ThreatIntelligence",
"dataTypes": [
"ThreatIntelligenceIndicator"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnectorAma",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
- },
- {
- "connectorId": "InfobloxCloudDataConnector",
- "dataTypes": [
- "CommonSecurityLog (InfobloxCDC)"
- ]
+ ],
+ "connectorId": "ThreatIntelligence"
},
{
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -1482,40 +1358,40 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "HostIP"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "Computer"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "Url"
}
- ]
+ ],
+ "entityType": "DNS"
},
{
- "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Url"
}
- ]
+ ],
+ "entityType": "URL"
}
],
"eventGroupingSettings": {
@@ -1567,776 +1443,6 @@
"version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Infoblox Cloud Data Connector data connector with template version 3.0.4",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Infoblox Cloud Data Connector via Legacy Agent",
- "publisher": "Infoblox",
- "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "InfobloxCDC",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\""
- }
- ],
- "sampleQueries": [
- {
- "description": "Return all BloxOne Threat Defense (TD) security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\""
- },
- {
- "description": "Return all BloxOne Query/Response logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"DNS\""
- },
- {
- "description": "Return all Category Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\""
- },
- {
- "description": "Return all Application Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\""
- },
- {
- "description": "Return Top 10 TD Domains Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc"
- },
- {
- "description": "Return Top 10 TD Source IPs Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc"
- },
- {
- "description": "Return Recently Created DHCP Leases",
- "query": "InfobloxCDC\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (InfobloxCDC)",
- "lastDataReceivedQuery": "InfobloxCDC\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.",
- "title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Infoblox Cloud Data Connector",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Infoblox",
- "tier": "Partner",
- "link": "https://support.infoblox.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Infoblox Cloud Data Connector via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Infoblox Cloud Data Connector",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Infoblox",
- "tier": "Partner",
- "link": "https://support.infoblox.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Infoblox Cloud Data Connector via Legacy Agent",
- "publisher": "Infoblox",
- "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "InfobloxCDC",
- "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (InfobloxCDC)",
- "lastDataReceivedQuery": "InfobloxCDC\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Return all BloxOne Threat Defense (TD) security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\""
- },
- {
- "description": "Return all BloxOne Query/Response logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"DNS\""
- },
- {
- "description": "Return all Category Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\""
- },
- {
- "description": "Return all Application Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\""
- },
- {
- "description": "Return Top 10 TD Domains Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc"
- },
- {
- "description": "Return Top 10 TD Source IPs Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc"
- },
- {
- "description": "Return Recently Created DHCP Leases",
- "query": "InfobloxCDC\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\""
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.",
- "title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Infoblox Cloud Data Connector data connector with template version 3.0.4",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Infoblox Cloud Data Connector via AMA",
- "publisher": "Infoblox",
- "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "InfobloxCDC",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Return all BloxOne Threat Defense (TD) security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\""
- },
- {
- "description": "Return all BloxOne Query/Response logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"DNS\""
- },
- {
- "description": "Return all Category Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\""
- },
- {
- "description": "Return all Application Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\""
- },
- {
- "description": "Return Top 10 TD Domains Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc"
- },
- {
- "description": "Return Top 10 TD Source IPs Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc"
- },
- {
- "description": "Return Recently Created DHCP Leases",
- "query": "InfobloxCDC\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (InfobloxCDC)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **CEF via AMA data connector** page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent",
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Infoblox Cloud Data Connector",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Infoblox",
- "tier": "Partner",
- "link": "https://support.infoblox.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Infoblox Cloud Data Connector via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Infoblox Cloud Data Connector",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Infoblox",
- "tier": "Partner",
- "link": "https://support.infoblox.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Infoblox Cloud Data Connector via AMA",
- "publisher": "Infoblox",
- "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "InfobloxCDC",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (InfobloxCDC)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Return all BloxOne Threat Defense (TD) security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\""
- },
- {
- "description": "Return all BloxOne Query/Response logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"DNS\""
- },
- {
- "description": "Return all Category Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\""
- },
- {
- "description": "Return all Application Filters security events logs",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\""
- },
- {
- "description": "Return Top 10 TD Domains Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc"
- },
- {
- "description": "Return Top 10 TD Source IPs Hit Count",
- "query": "InfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc"
- },
- {
- "description": "Return Recently Created DHCP Leases",
- "query": "InfobloxCDC\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\""
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **CEF via AMA data connector** page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent",
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -2346,7 +1452,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "InfobloxCDC Data Parser with template version 3.0.4",
+ "description": "InfobloxCDC Data Parser with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -2476,7 +1582,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-AISCOMM-Weekly Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-AISCOMM-Weekly Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -2486,7 +1592,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -2526,7 +1632,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -3014,7 +2120,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-Emails-Weekly Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-Emails-Weekly Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -3024,7 +2130,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -3064,7 +2170,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -3551,7 +2657,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-Hashes-Weekly Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-Hashes-Weekly Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -3561,7 +2667,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -3601,7 +2707,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -4088,7 +3194,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-Hosts-Daily-LookalikeDomains Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-Hosts-Daily-LookalikeDomains Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -4098,7 +3204,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -4138,7 +3244,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -4626,7 +3732,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-Hosts-Daily-MalwareC2DGA Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-Hosts-Daily-MalwareC2DGA Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -4636,7 +3742,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -4676,7 +3782,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -5164,7 +4270,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-Hosts-Daily-Phishing Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-Hosts-Daily-Phishing Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -5174,7 +4280,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -5214,7 +4320,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -5702,7 +4808,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-Hosts-Hourly Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-Hosts-Hourly Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@@ -5712,7 +4818,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -5752,7 +4858,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -6239,7 +5345,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-IPs-Hourly Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-IPs-Hourly Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@@ -6249,7 +5355,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -6289,7 +5395,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -6776,7 +5882,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Import-URLs-Hourly Playbook with template version 3.0.4",
+ "description": "Infoblox-Import-URLs-Hourly Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@@ -6786,7 +5892,7 @@
"type": "string"
},
"AD Application Secret": {
- "type": "string",
+ "type": "securestring",
"metadata": {
"description": "Enter value for AD Application Secret"
}
@@ -6826,7 +5932,7 @@
"parameters": {
"AD Application Secret": {
"defaultValue": "[[parameters('AD Application Secret')]",
- "type": "string"
+ "type": "securestring"
},
"Client ID": {
"defaultValue": "[[parameters('Client ID')]",
@@ -7313,7 +6419,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Incident-Enrichment-Domains Playbook with template version 3.0.4",
+ "description": "Infoblox-Incident-Enrichment-Domains Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion10')]",
@@ -7783,7 +6889,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Infoblox-Incident-Send-Email Playbook with template version 3.0.4",
+ "description": "Infoblox-Incident-Send-Email Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion11')]",
@@ -8345,12 +7451,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.4",
+ "version": "3.0.5",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Infoblox Cloud Data Connector",
"publisherDisplayName": "Infoblox",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Infoblox Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 8, Playbooks: 11
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Infoblox Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nParsers: 1, Workbooks: 1, Analytic Rules: 8, Playbooks: 11
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -8418,16 +7524,6 @@ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json index 6638e0488ab..e68e272721f 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json index e18cad3d847..03c8eaa4602 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json index 709395cec33..6bf797205d9 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json index 04f8a6a35bb..f2df00782e3 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json index 8d291e97d7a..bdbf02e4f5e 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json index 9967fff694c..7dfa0e76deb 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json index 2f1152a29bc..effa15f8579 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json index e163c5bb1f2..dc7bfa5b08c 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json index 641c0b62cb0..31cb2d34024 100644 --- a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json +++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json @@ -30,7 +30,7 @@ "type": "string" }, "AD Application Secret": { - "type": "string", + "type": "securestring", "metadata": { "description": "Enter value for AD Application Secret" } @@ -67,7 +67,7 @@ "parameters": { "AD Application Secret": { "defaultValue": "[parameters('AD Application Secret')]", - "type": "string" + "type": "securestring" }, "Client ID": { "defaultValue": "[parameters('Client ID')]", diff --git a/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md b/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md index d4caba03fca..aa0a83b85bb 100644 --- a/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md +++ b/Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified** | **Change History** | |---------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.5 | 06-01-2025 | Removed Deprecated **Data Connector** | | 3.0.4 | 12-07-2024 | Deprecating data connectors | | 3.0.3 | 30-04-2024 | Updated package for parser issue fix while reinstall | | 3.0.2 | 05-03-2024 | Updated InfobloxCDC parser to manually parse with extract() rather than dynamically due to slowness | diff --git a/Solutions/Trend Micro TippingPoint/Data/Solution_Trend Micro TippingPoint.json b/Solutions/Trend Micro TippingPoint/Data/Solution_Trend Micro TippingPoint.json index d57cbb60285..396ae1b0f28 100644 --- a/Solutions/Trend Micro TippingPoint/Data/Solution_Trend Micro TippingPoint.json +++ b/Solutions/Trend Micro TippingPoint/Data/Solution_Trend Micro TippingPoint.json @@ -2,10 +2,7 @@ "Name": "Trend Micro TippingPoint", "Author": "Trend Micro", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\"){kind=logo}
",
- "Description": "The [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/TrendMicroTippingPoint.json"
- ],
+ "Description": "The [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Parsers": [
"Parsers/TrendMicroTippingPoint.yaml"
],
@@ -13,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro TippingPoint",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/Trend Micro TippingPoint/Package/3.0.1.zip b/Solutions/Trend Micro TippingPoint/Package/3.0.1.zip
new file mode 100644
index 00000000000..391044afedb
Binary files /dev/null and b/Solutions/Trend Micro TippingPoint/Package/3.0.1.zip differ
diff --git a/Solutions/Trend Micro TippingPoint/Package/createUiDefinition.json b/Solutions/Trend Micro TippingPoint/Package/createUiDefinition.json
index 8053bb6682a..0588b6f3f24 100644
--- a/Solutions/Trend Micro TippingPoint/Package/createUiDefinition.json
+++ b/Solutions/Trend Micro TippingPoint/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20TippingPoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20TippingPoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Trend Micro TippingPoint. You can get Trend Micro TippingPoint CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/Trend Micro TippingPoint/Package/mainTemplate.json b/Solutions/Trend Micro TippingPoint/Package/mainTemplate.json
index 45fe7ce2053..86e401d4e33 100644
--- a/Solutions/Trend Micro TippingPoint/Package/mainTemplate.json
+++ b/Solutions/Trend Micro TippingPoint/Package/mainTemplate.json
@@ -31,18 +31,9 @@
},
"variables": {
"_solutionName": "Trend Micro TippingPoint",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "trendmicro.trend_micro_tippingpoint_mss",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "TrendMicroTippingPoint",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "TrendMicroTippingPoint",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','TrendMicroTippingPoint')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TrendMicroTippingPoint')]",
@@ -53,383 +44,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Trend Micro TippingPoint data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Trend Micro TippingPoint via Legacy",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The Trend Micro TippingPoint connector allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroTippingPoint",
- "baseQuery": "\nTrendMicroTippingPoint\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "TippingPoint IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | sort by TimeGenerated"
- },
- {
- "description": "Top IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | summarize EventCountTotal = sum(EventCount) by DeviceEventClassID, Activity, SimplifiedDeviceAction\n | sort by EventCountTotal desc"
- },
- {
- "description": "Top Source IP for IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | summarize EventCountTotal = sum(EventCount) by SourceIP\n | sort by EventCountTotal desc"
- },
- {
- "description": "Top Destination IP for IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | summarize EventCountTotal = sum(EventCount) by DestinationIP\n | sort by EventCountTotal desc"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nTrendMicroTippingPoint\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroTippingPoint)",
- "lastDataReceivedQuery": "\nTrendMicroTippingPoint\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias TrendMicroTippingPoint and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend%20Micro%20TippingPoint/Parsers/TrendMicroTippingPoint).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Set your TippingPoint SMS to send Syslog messages in ArcSight CEF Format v4.2 format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "title": "2. Forward Trend Micro TippingPoint SMS logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "78cd5319-f6b0-4428-be45-5dea94c8ec83",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Trend Micro"
- },
- "support": {
- "name": "Trend Micro",
- "link": "https://success.trendmicro.com/technical-support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro TippingPoint",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Trend Micro"
- },
- "support": {
- "name": "Trend Micro",
- "tier": "Partner",
- "link": "https://success.trendmicro.com/dcx/s/contactus?language=en_US"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Trend Micro TippingPoint via Legacy",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Trend Micro TippingPoint",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Trend Micro"
- },
- "support": {
- "name": "Trend Micro",
- "tier": "Partner",
- "link": "https://success.trendmicro.com/dcx/s/contactus?language=en_US"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Trend Micro TippingPoint via Legacy",
- "publisher": "Trend Micro",
- "descriptionMarkdown": "The Trend Micro TippingPoint connector allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "TrendMicroTippingPoint",
- "baseQuery": "\nTrendMicroTippingPoint\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (TrendMicroTippingPoint)",
- "lastDataReceivedQuery": "\nTrendMicroTippingPoint\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nTrendMicroTippingPoint\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "TippingPoint IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | sort by TimeGenerated"
- },
- {
- "description": "Top IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | summarize EventCountTotal = sum(EventCount) by DeviceEventClassID, Activity, SimplifiedDeviceAction\n | sort by EventCountTotal desc"
- },
- {
- "description": "Top Source IP for IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | summarize EventCountTotal = sum(EventCount) by SourceIP\n | sort by EventCountTotal desc"
- },
- {
- "description": "Top Destination IP for IPS Events",
- "query": "\nTrendMicroTippingPoint\n\n | summarize EventCountTotal = sum(EventCount) by DestinationIP\n | sort by EventCountTotal desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias TrendMicroTippingPoint and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend%20Micro%20TippingPoint/Parsers/TrendMicroTippingPoint).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Set your TippingPoint SMS to send Syslog messages in ArcSight CEF Format v4.2 format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "title": "2. Forward Trend Micro TippingPoint SMS logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -439,7 +53,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroTippingPoint Data Parser with template version 3.0.0",
+ "description": "TrendMicroTippingPoint Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -563,12 +177,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro TippingPoint",
"publisherDisplayName": "Trend Micro",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro TippingPoint Microsoft Sentinel Solution allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro TippingPoint Microsoft Sentinel Solution allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -590,11 +204,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Trend Micro TippingPoint/ReleaseNotes.md b/Solutions/Trend Micro TippingPoint/ReleaseNotes.md index b1a8426daa8..b2e8f34878f 100644 --- a/Solutions/Trend Micro TippingPoint/ReleaseNotes.md +++ b/Solutions/Trend Micro TippingPoint/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.0 | 27-06-2024 | Deprecating data connectors | +| 3.0.1 | 06-01-2025 | Removed Deprecated **Data connector** | +| 3.0.0 | 27-06-2024 | Deprecating data connectors | | 2.0.2 | 30-05-2023 | Updated Package | | 2.0.1 | 11-11-2022 | Initial Release | \ No newline at end of file