From f4a4e4baef836123b7201b503bcda00bbe709c3c Mon Sep 17 00:00:00 2001 From: Sergiy Prystaiko Date: Fri, 12 Mar 2021 16:17:49 +0200 Subject: [PATCH 1/9] exabeam - added connector json --- .../Exabeam/Connector_Exabeam_Syslog.json | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 DataConnectors/Exabeam/Connector_Exabeam_Syslog.json diff --git a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json new file mode 100644 index 0000000000..bbfba7841a --- /dev/null +++ b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json @@ -0,0 +1,166 @@ +{ + "id": "Exabeam", + "title": "Exabeam Advanced Analytics", + "publisher": "Exabeam", + "descriptionMarkdown": "The [Exabeam Advanced Analytics](https://www.exabeam.com/ueba/advanced-analytics-and-mitre-detect-and-stop-threats/) data connector provides the capability to ingest Exabeam Advanced Analytics events into Azure Sentinel. Refer to [Exabeam Advanced Analytics documentation](https://docs.exabeam.com/) for more information.", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **ExabeamEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-Exabeam-parser)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Syslog(Exabeam)", + "baseQuery": "ExabeamEvent" + } + ], + "sampleQueries": [ + { + "description" : "Top 10 Clients (Source IP)", + "query": "ExabeamEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "Syslog(Exabeam)", + "lastDataReceivedQuery": "ExabeamEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExabeamEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-Exabeam-parser) to create the Kusto Functions alias, **ExabeamEvent**", + "instructions": [ + ] + }, + { + "title": "", + "description": ">**NOTE:** This data connector has been developed using Exabeam Advanced Analytics i54 (Syslog)", + "instructions": [ + ] + }, + { + "title": "1. Install and onboard the agent for Linux or Windows", + "description": "Install the agent on the server where the Exabeam Advanced Analytic logs are generated or forwarded.\n\n> Logs from Exabeam Advanced Analytic deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Linux agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Windows agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Windows Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Windows Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. Configure the logs to be collected", + "description": "Configure the custom log directory to be collected" , + "instructions": [ + { + "parameters": { + "linkType": "OpenAdvancedWorkspaceSettings" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "3. Configure Exabeam event forwarding to Syslog", + "description": "[Follow these instructions](https://docs.exabeam.com/en/advanced-analytics/i54/advanced-analytics-administration-guide/113254-configure-advanced-analytics.html#UUID-7ce5ff9d-56aa-93f0-65de-c5255b682a08) to send Exabeam Advanced Analytics activity log data via syslog." + } +] +} \ No newline at end of file From 9b3de2584d650cea08286e24343582f3f79486dd Mon Sep 17 00:00:00 2001 From: Sergiy Prystaiko Date: Fri, 12 Mar 2021 16:18:08 +0200 Subject: [PATCH 2/9] exabeam - added logo --- Logos/exabeam.svg | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 Logos/exabeam.svg diff --git a/Logos/exabeam.svg b/Logos/exabeam.svg new file mode 100644 index 0000000000..934da973c5 --- /dev/null +++ b/Logos/exabeam.svg @@ -0,0 +1,3 @@ + + + From 2a7acad437426058790d6dbfca733824ad7d3ada Mon Sep 17 00:00:00 2001 From: Sergiy Prystaiko Date: Fri, 12 Mar 2021 16:33:48 +0200 Subject: [PATCH 3/9] exabeam - added parser --- Parsers/Exabeam/ExabeamEvent.txt | 98 ++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 Parsers/Exabeam/ExabeamEvent.txt diff --git a/Parsers/Exabeam/ExabeamEvent.txt b/Parsers/Exabeam/ExabeamEvent.txt new file mode 100644 index 0000000000..2c8ef5cf92 --- /dev/null +++ b/Parsers/Exabeam/ExabeamEvent.txt @@ -0,0 +1,98 @@ +// Usage Instruction : +// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ExabeamEvent. +// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ExabeamEvent | take 10). +// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +Syslog +| where ProcessName contains "Exabeam" +| extend EventVendor = 'Exabeam' +| extend Service = extract(@'service=\"(.*?)\"', 1, SyslogMessage) +| extend Status = extract(@'status=\"(.*?)\"', 1, SyslogMessage) +| extend Id = extract(@'id=\"(.*?)\"', 1, SyslogMessage) +| extend UrlOriginal = extract(@'url=\"(.*?)\"', 1, SyslogMessage) +| extend EntityValue = extract(@'entity_value=\"(.*?)\"', 1, SyslogMessage) +| extend Score = extract(@'score=\"(.*?)\"', 1, SyslogMessage) +| extend SequenceType = extract(@'sequence_type=\"(.*?)\"', 1, SyslogMessage) +| extend EventStartTime = todatetime(extract(@'start_time=\"(.*?)\"', 1, SyslogMessage)) +| extend EventEndTime = todatetime(extract(@'end_time=\"(.*?)\"', 1, SyslogMessage)) +| extend SrcUserName = extract(@'user=\"(.*?)\"', 1, SyslogMessage) +| extend SrcDvcHostname = extract(@'src_host=\"(.*?)\"', 1, SyslogMessage) +| extend SrcIpAddr = extract(@'src_ip=\"(.*?)\"', 1, SyslogMessage) +| extend Labels = extract(@'labels=\"(.*?)\"', 1, SyslogMessage) +| extend Accounts = extract(@'accounts=\"(.*?)\"', 1, SyslogMessage) +| extend AssetsCount = extract(@'assets_count=\"(.*?)\"', 1, SyslogMessage) +| extend Assets = extract(@'assets=\"(.*?)\"', 1, SyslogMessage) +| extend Zones = extract(@'zones=\"(.*?)\"', 1, SyslogMessage) +| extend TopReasons = extract(@'top_reasons=\"(.*?)\"', 1, SyslogMessage) +| extend ReasonsCount = extract(@'reasons_count=\"(.*?)\"', 1, SyslogMessage) +| extend EventsCount = extract(@'events_count=\"(.*?)\"', 1, SyslogMessage) +| extend AlertsCount = extract(@'alerts_count=\"(.*?)\"', 1, SyslogMessage) +| extend AssetLabels = extract(@'asset_labels=\"(.*?)\"', 1, SyslogMessage) +| extend AssetLocations = extract(@'asset_locations=\"(.*?)\"', 1, SyslogMessage) +| extend TopUsers = extract(@'top_users=\"(.*?)\"', 1, SyslogMessage) +| extend AssetHostname = extract(@'host_name=\"(.*?)\"', 1, SyslogMessage) +| extend AssetIpAddress = extract(@'ip_address=\"(.*?)\"', 1, SyslogMessage) +| extend DstDvcHostname = extract(@'dest_host=\"(.*?)\"', 1, SyslogMessage) +| extend DstIpAddr = extract(@'dest_ip=\"(.*?)\"', 1, SyslogMessage) +| extend EventTime = todatetime(extract(@'event_time=\"(.*?)\"', 1, SyslogMessage)) +| extend EventType = extract(@'event_type=\"(.*?)\"', 1, SyslogMessage) +| extend DvcHostname = extract(@'host=\"(.*?)\"', 1, SyslogMessage) +| extend Domain = extract(@'domain=\"(.*?)\"', 1, SyslogMessage) +| extend Raw = extract(@'raw=\"(.*?)\"', 1, SyslogMessage) +| extend RuleId = extract(@'rule_id=\"(.*?)\"', 1, SyslogMessage) +| extend RuleName = extract(@'rule_name=\"(.*?)\"', 1, SyslogMessage) +| extend RuleDescription = extract(@'rule_description=\"(.*?)\"', 1, SyslogMessage) +| extend App = extract(@'app=\"(.*?)\"', 1, SyslogMessage) +| extend EventSubType = extract(@'event_subtype=\"(.*?)\"', 1, SyslogMessage) +| extend Activity = extract(@'activity=\"(.*?)\"', 1, SyslogMessage) +| extend AdditionalInfo = extract(@'additional_info=\"(.*?)\"', 1, SyslogMessage) +| extend JobStatus = extract(@'job_status=\"(.*?)\"', 1, SyslogMessage) +| extend JobDetails = extract(@'job_details=\"(.*?)\"', 1, SyslogMessage) +| extend JobId = extract(@'job_id=\"(.*?)\"', 1, SyslogMessage) +| extend CreatedBy = extract(@'created_by=\"(.*?)\"', 1, SyslogMessage) +| extend Timestamp = todatetime(extract(@'timestamp=\"(.*?)\"', 1, SyslogMessage)) +| project EventVendor + , Service + , Status + , Id + , UrlOriginal + , EntityValue + , Score + , SequenceType + , EventStartTime + , EventEndTime + , SrcUserName + , SrcDvcHostname + , SrcIpAddr + , Labels + , Accounts + , AssetsCount + , Assets + , Zones + , TopReasons + , ReasonsCount + , EventsCount + , AlertsCount + , AssetLabels + , AssetLocations + , TopUsers + , AssetHostname + , AssetIpAddress + , DstDvcHostname + , DstIpAddr + , EventTime + , EventType + , DvcHostname + , Domain + , Raw + , RuleId + , RuleName + , RuleDescription + , App + , EventSubType + , Activity + , AdditionalInfo + , JobStatus + , JobDetails + , JobId + , CreatedBy + , Timestamp \ No newline at end of file From 32e780f2b67e3a7d1e324957fe335ee8dac8727a Mon Sep 17 00:00:00 2001 From: Sergiy Prystaiko Date: Fri, 12 Mar 2021 16:34:05 +0200 Subject: [PATCH 4/9] exabeam - added mapping --- .../CustomTables/Exabeam.json | 189 ++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/Exabeam.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Exabeam.json b/.script/tests/KqlvalidationsTests/CustomTables/Exabeam.json new file mode 100644 index 0000000000..7d1a5c4044 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Exabeam.json @@ -0,0 +1,189 @@ +{ + "Name": "ExabeamEvent", + "Properties": [ + { + "Name": "EventVendor", + "Type": "String" + }, + { + "Name": "Service", + "Type": "String" + }, + { + "Name": "Status", + "Type": "String" + }, + { + "Name": "Id", + "Type": "String" + }, + { + "Name": "UrlOriginal", + "Type": "String" + }, + { + "Name": "EntityValue", + "Type": "String" + }, + { + "Name": "Score", + "Type": "String" + }, + { + "Name": "SequenceType", + "Type": "String" + }, + { + "Name": "EventStartTime", + "Type": "DateTime" + }, + { + "Name": "EventEndTime", + "Type": "DateTime" + }, + { + "Name": "SrcUserName", + "Type": "String" + }, + { + "Name": "SrcDvcHostname", + "Type": "String" + }, + { + "Name": "SrcIpAddr", + "Type": "String" + }, + { + "Name": "Labels", + "Type": "String" + }, + { + "Name": "Accounts", + "Type": "String" + }, + { + "Name": "AssetsCount", + "Type": "String" + }, + { + "Name": "Assets", + "Type": "String" + }, + { + "Name": "Zones", + "Type": "String" + }, + { + "Name": "TopReasons", + "Type": "String" + }, + { + "Name": "ReasonsCount", + "Type": "String" + }, + { + "Name": "EventsCount", + "Type": "String" + }, + { + "Name": "AlertsCount", + "Type": "String" + }, + { + "Name": "AssetLabels", + "Type": "String" + }, + { + "Name": "AssetLocations", + "Type": "String" + }, + { + "Name": "TopUsers", + "Type": "String" + }, + { + "Name": "AssetHostname", + "Type": "String" + }, + { + "Name": "AssetIpAddress", + "Type": "String" + }, + { + "Name": "DstDvcHostname", + "Type": "String" + }, + { + "Name": "DstIpAddr", + "Type": "String" + }, + { + "Name": "EventTime", + "Type": "DateTime" + }, + { + "Name": "EventType", + "Type": "String" + }, + { + "Name": "DvcHostname", + "Type": "String" + }, + { + "Name": "Domain", + "Type": "String" + }, + { + "Name": "Raw", + "Type": "String" + }, + { + "Name": "RuleId", + "Type": "String" + }, + { + "Name": "RuleName", + "Type": "String" + }, + { + "Name": "RuleDescription", + "Type": "String" + }, + { + "Name": "App", + "Type": "String" + }, + { + "Name": "EventSubType", + "Type": "String" + }, + { + "Name": "Activity", + "Type": "String" + }, + { + "Name": "AdditionalInfo", + "Type": "String" + }, + { + "Name": "JobStatus", + "Type": "String" + }, + { + "Name": "JobDetails", + "Type": "String" + }, + { + "Name": "JobId", + "Type": "String" + }, + { + "Name": "CreatedBy", + "Type": "String" + }, + { + "Name": "Timestamp", + "Type": "DateTime" + } + ] +} \ No newline at end of file From 2a53f5d09fe316a3a65e63f3b816bf0212ab415e Mon Sep 17 00:00:00 2001 From: Sergiy Prystaiko Date: Fri, 12 Mar 2021 16:43:13 +0200 Subject: [PATCH 5/9] exabeam - added sample data --- Sample Data/Syslog/ExabeamEvent.json | 590 +++++++++++++++++++++++++++ 1 file changed, 590 insertions(+) create mode 100644 Sample Data/Syslog/ExabeamEvent.json diff --git a/Sample Data/Syslog/ExabeamEvent.json b/Sample Data/Syslog/ExabeamEvent.json new file mode 100644 index 0000000000..03ca6eef9b --- /dev/null +++ b/Sample Data/Syslog/ExabeamEvent.json @@ -0,0 +1,590 @@ +[ + { + "TimeGenerated": "3/12/2021, 2:12:23.743 PM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "testUser-20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": " userx ", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": "19.10.150.7", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "test-host01-userx", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "17", + "EventsCount": "4", + "AlertsCount": "2", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "3/12/2021, 2:12:03.653 PM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "testUser-20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": " userx ", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": "19.10.150.7", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "test-host01-userx", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "10", + "EventsCount": "1", + "AlertsCount": "0", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "3/12/2021, 2:12:18.123 PM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "testUser-20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": " userx ", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": "19.10.150.7", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "test-host01-userx", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "17", + "EventsCount": "4", + "AlertsCount": "0", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "3/12/2021, 2:09:56.550 PM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "testUser-20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": " userx ", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": " 192.0.150.7 ", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "test-host01-userx", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "10", + "EventsCount": "1", + "AlertsCount": "0", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "2/26/2021, 9:24:14.377 AM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "testUser-20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": " userx ", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": " 192.0.150.7 ", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "test-host01-userx", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "10", + "EventsCount": "1", + "AlertsCount": "0", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "2/26/2021, 9:58:32.500 AM", + "EventVendor": "Exabeam", + "Service": "Analytics Log Ingestion", + "Status": "stopped", + "Id": "sstrickland-20210204143816", + "UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816", + "EntityValue": "", + "Score": "20", + "SequenceType": "", + "EventStartTime": "2/4/2021, 2:38:16.000 PM", + "EventEndTime": "2/4/2021, 2:38:16.000 PM", + "SrcUserName": "sstrickland", + "SrcDvcHostname": "wks_5cc_kt", + "SrcIpAddr": "192.168.25.136", + "Labels": " assets=", + "Accounts": "sstrickland", + "AssetsCount": "", + "Assets": "tks_en_360_kt", + "Zones": "None", + "TopReasons": "", + "ReasonsCount": "", + "EventsCount": "", + "AlertsCount": "1", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "wks_5cc_kt", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "2/7/2021, 2:38:16.000 PM" + }, + { + "TimeGenerated": "2/26/2021, 9:59:56.770 AM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": "sstrickland", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": " 192.0.150.7 ", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "assets=", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "10", + "EventsCount": "1", + "AlertsCount": "0", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "2/26/2021, 10:01:53.203 AM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "20140402150331", + "UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "4/2/2014, 7:03:31.000 AM", + "EventEndTime": "1/1/1970, 12:00:00.000 AM", + "SrcUserName": "sstrickland", + "SrcDvcHostname": "test-host01-userx", + "SrcIpAddr": " 192.0.150.7 ", + "Labels": "", + "Accounts": "testUser", + "AssetsCount": "", + "Assets": "srv_123_dev, 10.23.123.56, tks_en_0b_jt", + "Zones": "test.zone.test", + "TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group", + "ReasonsCount": "10", + "EventsCount": "1", + "AlertsCount": "0", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "test-host01-userx", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "4/21/2015, 7:55:21.503 AM" + }, + { + "TimeGenerated": "2/26/2021, 10:03:39.857 AM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "Started", + "Id": "10204143816", + "UrlOriginal": "", + "EntityValue": "", + "Score": "80", + "SequenceType": "", + "EventStartTime": "", + "EventEndTime": "", + "SrcUserName": "", + "SrcDvcHostname": "", + "SrcIpAddr": "", + "Labels": "", + "Accounts": "", + "AssetsCount": "", + "Assets": "", + "Zones": "", + "TopReasons": "", + "ReasonsCount": "", + "EventsCount": "", + "AlertsCount": "", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "Started", + "JobDetails": "Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC).", + "JobId": "5c1ace5c123 b3801207481f", + "CreatedBy": "admin", + "Timestamp": "2/7/2021, 2:38:16.000 PM" + }, + { + "TimeGenerated": "2/26/2021, 10:04:22.973 AM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "Started", + "Id": "5c1ace5c123 b3801207481f", + "UrlOriginal": "", + "EntityValue": "", + "Score": "", + "SequenceType": "", + "EventStartTime": "", + "EventEndTime": "", + "SrcUserName": "", + "SrcDvcHostname": "", + "SrcIpAddr": "", + "Labels": "", + "Accounts": "", + "AssetsCount": "", + "Assets": "", + "Zones": "", + "TopReasons": "", + "ReasonsCount": "", + "EventsCount": "", + "AlertsCount": "", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "Started", + "JobDetails": "Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC).", + "JobId": "5c1ace5c123 b3801207481f", + "CreatedBy": "admin", + "Timestamp": "" + }, + { + "TimeGenerated": "2/26/2021, 10:04:49.923 AM", + "EventVendor": "Exabeam", + "Service": "Analytics Log Ingestion", + "Status": "stopped", + "Id": "sstrickland-20210204143816", + "UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816", + "EntityValue": "", + "Score": "85", + "SequenceType": "", + "EventStartTime": "2/4/2021, 2:38:16.000 PM", + "EventEndTime": "2/4/2021, 2:38:16.000 PM", + "SrcUserName": "sstrickland", + "SrcDvcHostname": "wks_5cc_kt", + "SrcIpAddr": "192.168.25.136", + "Labels": " assets=", + "Accounts": "sstrickland", + "AssetsCount": "", + "Assets": "tks_en_360_kt", + "Zones": "None", + "TopReasons": "", + "ReasonsCount": "", + "EventsCount": "", + "AlertsCount": "1", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "wks_5cc_kt", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "2/7/2021, 2:38:16.000 PM" + }, + { + "TimeGenerated": "2/26/2021, 9:57:02.510 AM", + "EventVendor": "Exabeam", + "Service": "", + "Status": "open", + "Id": "sstrickland-20210204143816", + "UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816", + "EntityValue": "", + "Score": "20", + "SequenceType": "", + "EventStartTime": "2/4/2021, 2:38:16.000 PM", + "EventEndTime": "2/4/2021, 2:38:16.000 PM", + "SrcUserName": "sstrickland", + "SrcDvcHostname": "wks_5cc_kt", + "SrcIpAddr": "192.168.25.136", + "Labels": " assets=", + "Accounts": "sstrickland", + "AssetsCount": "", + "Assets": "tks_en_360_kt", + "Zones": "None", + "TopReasons": "It is abnormal for account management activity (a user created and added to a group) to come from this zone. Account management events are notable because they can provide a path for an attacker to move laterally through a system.", + "ReasonsCount": "1", + "EventsCount": "248", + "AlertsCount": "1", + "AssetLabels": "", + "AssetLocations": "", + "TopUsers": "", + "AssetHostname": "", + "AssetIpAddress": "", + "DstDvcHostname": "", + "DstIpAddr": "", + "EventTime": "", + "EventType": "", + "DvcHostname": "wks_5cc_kt", + "Domain": "", + "Raw": "", + "RuleId": "", + "RuleName": "", + "RuleDescription": "", + "App": "", + "EventSubType": "", + "Activity": "", + "AdditionalInfo": "", + "JobStatus": "", + "JobDetails": "", + "JobId": "", + "CreatedBy": "", + "Timestamp": "2/4/2021, 2:38:16.000 PM" + } +] \ No newline at end of file From 3f1e80e954c6f91438b4e92d9c5dd151239c8a5a Mon Sep 17 00:00:00 2001 From: Vitalii Uslystyi Date: Fri, 12 Mar 2021 17:28:10 +0200 Subject: [PATCH 6/9] exabeam - fixed permissions in connector json --- DataConnectors/Exabeam/Connector_Exabeam_Syslog.json | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json index bbfba7841a..0eeacd5050 100644 --- a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json +++ b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json @@ -43,19 +43,9 @@ "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "read": true, "write": true, "delete": true } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } } ] }, From 62c32c7cf3172ca8232a4a326ff0f0054e407f4a Mon Sep 17 00:00:00 2001 From: Vitalii Uslystyi Date: Tue, 16 Mar 2021 18:43:23 +0200 Subject: [PATCH 7/9] exabeam - updated connector json --- DataConnectors/Exabeam/Connector_Exabeam_Syslog.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json index 0eeacd5050..13354e6b0a 100644 --- a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json +++ b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json @@ -7,7 +7,7 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "Syslog(Exabeam)", + "legend": "Syslog (Exabeam)", "baseQuery": "ExabeamEvent" } ], @@ -19,7 +19,7 @@ ], "dataTypes": [ { - "name": "Syslog(Exabeam)", + "name": "Syslog (Exabeam)", "lastDataReceivedQuery": "ExabeamEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], From f561fa36b128c22751fe3af181dcb2d2cf89a9c8 Mon Sep 17 00:00:00 2001 From: Vitalii Uslystyi Date: Thu, 18 Mar 2021 15:56:42 +0200 Subject: [PATCH 8/9] exabeam - update parser --- Parsers/Exabeam/ExabeamEvent.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Parsers/Exabeam/ExabeamEvent.txt b/Parsers/Exabeam/ExabeamEvent.txt index 2c8ef5cf92..af7ffb885c 100644 --- a/Parsers/Exabeam/ExabeamEvent.txt +++ b/Parsers/Exabeam/ExabeamEvent.txt @@ -50,7 +50,8 @@ Syslog | extend JobId = extract(@'job_id=\"(.*?)\"', 1, SyslogMessage) | extend CreatedBy = extract(@'created_by=\"(.*?)\"', 1, SyslogMessage) | extend Timestamp = todatetime(extract(@'timestamp=\"(.*?)\"', 1, SyslogMessage)) -| project EventVendor +| project TimeGenerated + , EventVendor , Service , Status , Id From 4fe8064727bf31a7b74dc5e1b8e35e5ef18d7623 Mon Sep 17 00:00:00 2001 From: Vitalii Uslystyi Date: Thu, 18 Mar 2021 15:59:08 +0200 Subject: [PATCH 9/9] exabeam - updated connector json --- DataConnectors/Exabeam/Connector_Exabeam_Syslog.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json index 13354e6b0a..d213c7df25 100644 --- a/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json +++ b/DataConnectors/Exabeam/Connector_Exabeam_Syslog.json @@ -7,7 +7,7 @@ "graphQueries": [ { "metricName": "Total data received", - "legend": "Syslog (Exabeam)", + "legend": "Exabeam", "baseQuery": "ExabeamEvent" } ], @@ -32,7 +32,7 @@ } ], "availability": { - "status": 1, + "status": 2, "isPreview": true }, "permissions": {