diff --git a/Solutions/Syslog/Package/3.0.6.zip b/Solutions/Syslog/Package/3.0.6.zip index 077794c10d..6cd249a849 100644 Binary files a/Solutions/Syslog/Package/3.0.6.zip and b/Solutions/Syslog/Package/3.0.6.zip differ diff --git a/Solutions/Syslog/Package/mainTemplate.json b/Solutions/Syslog/Package/mainTemplate.json index 8d769afba0..e49e0bc701 100644 --- a/Solutions/Syslog/Package/mainTemplate.json +++ b/Solutions/Syslog/Package/mainTemplate.json @@ -730,16 +730,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -752,8 +752,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" } ], "entityType": "Host" @@ -761,8 +761,8 @@ { "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ], "entityType": "IP" @@ -845,16 +845,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -867,8 +867,8 @@ { "fieldMappings": [ { - "columnName": "User", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" } ], "entityType": "Account" @@ -876,8 +876,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -885,8 +885,8 @@ { "fieldMappings": [ { - "columnName": "URL", - "identifier": "Url" + "identifier": "Url", + "columnName": "URL" } ], "entityType": "URL" @@ -973,16 +973,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -995,16 +995,16 @@ { "fieldMappings": [ { - "columnName": "User", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ], "entityType": "Account" @@ -1012,8 +1012,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -1021,8 +1021,8 @@ { "fieldMappings": [ { - "columnName": "URL", - "identifier": "Url" + "identifier": "Url", + "columnName": "URL" } ], "entityType": "URL" @@ -1109,16 +1109,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -1132,16 +1132,16 @@ { "fieldMappings": [ { - "columnName": "User", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ], "entityType": "Account" @@ -1149,8 +1149,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -1158,8 +1158,8 @@ { "fieldMappings": [ { - "columnName": "URL", - "identifier": "Url" + "identifier": "Url", + "columnName": "URL" } ], "entityType": "URL" @@ -1246,16 +1246,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -1268,8 +1268,8 @@ { "fieldMappings": [ { - "columnName": "Account", - "identifier": "Name" + "identifier": "Name", + "columnName": "Account" } ], "entityType": "Account" @@ -1277,8 +1277,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -1286,8 +1286,8 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" } ], "entityType": "Host" @@ -1295,8 +1295,8 @@ { "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ], "entityType": "AzureResource" @@ -1383,16 +1383,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -1405,8 +1405,8 @@ { "fieldMappings": [ { - "columnName": "username", - "identifier": "Name" + "identifier": "Name", + "columnName": "username" } ], "entityType": "Account" @@ -1414,8 +1414,8 @@ { "fieldMappings": [ { - "columnName": "src_ip", - "identifier": "Address" + "identifier": "Address", + "columnName": "src_ip" } ], "entityType": "IP" @@ -1423,8 +1423,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ], "entityType": "Host" @@ -1432,8 +1432,8 @@ { "fieldMappings": [ { - "columnName": "FileSample", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileSample" } ], "entityType": "File" @@ -1445,14 +1445,14 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "Selected", "lookbackDuration": "5h", - "reopenClosedIncident": false, "groupByEntities": [ "Account", "Host" ], - "matchingMethod": "Selected", - "enabled": true + "enabled": true, + "reopenClosedIncident": false }, "createIncident": true } @@ -1537,16 +1537,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "Syslog" }, { - "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -1559,8 +1559,8 @@ { "fieldMappings": [ { - "columnName": "username", - "identifier": "Name" + "identifier": "Name", + "columnName": "username" } ], "entityType": "Account" @@ -1568,8 +1568,8 @@ { "fieldMappings": [ { - "columnName": "src_ip", - "identifier": "Address" + "identifier": "Address", + "columnName": "src_ip" } ], "entityType": "IP" @@ -1577,8 +1577,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ], "entityType": "Host" @@ -1586,8 +1586,8 @@ { "fieldMappings": [ { - "columnName": "DirSample", - "identifier": "Name" + "identifier": "Name", + "columnName": "DirSample" } ], "entityType": "File" @@ -1599,14 +1599,14 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "Selected", "lookbackDuration": "5h", - "reopenClosedIncident": false, "groupByEntities": [ "Account", "Host" ], - "matchingMethod": "Selected", - "enabled": true + "enabled": true, + "reopenClosedIncident": false }, "createIncident": true } @@ -2446,7 +2446,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "SyslogConnectorsOverallStatus", "query": "let startTime = start;\nlet endTime = end;\nlet empty_table_result = datatable (DeviceProduct:string, EventCount:long, ConnectionStatus:string ) [];\nlet empty_table_connector_status = datatable (TimeGenerated:datetime, DeviceProduct:string, EventCount:long ) [];\nlet known_syslog_supported_devices = externaldata(DeviceProduct: string, ConnectorType:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/SyslogCEFConnectors.csv\"] with (format=\"csv\", ignoreFirstRecord=true) | where ConnectorType == \"Syslog\" | distinct DeviceProduct;\nlet BlackberryCylancePROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = \"Blackberry CylancePROTECT\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoACI_Status = union isfuzzy=true empty_table_connector_status, CiscoACIEvent | extend DeviceProduct = \"Cisco Application Centric Infrastructure\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoISE_Status = union isfuzzy=true empty_table_connector_status, CiscoISEEvent | extend DeviceProduct = \"Cisco Identity Services Engine\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet Stealthwatch_Status = union isfuzzy=true empty_table_connector_status, StealthwatchEvent | extend DeviceProduct = \"Cisco Secure Cloud Analytics\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoUCS_Status = union isfuzzy=true empty_table_connector_status, CiscoUCS | extend DeviceProduct = \"Cisco UCS\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoWSA_Status = union isfuzzy=true empty_table_connector_status, CiscoWSAEvent | extend DeviceProduct = \"Cisco Web Security Appliance\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CitrixADC_Status = union isfuzzy=true empty_table_connector_status, CitrixADCEvent | extend DeviceProduct = \"Citrix ADC (former NetScaler)\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet DigitalGuardianDLP_Status = union isfuzzy=true empty_table_connector_status, DigitalGuardianDLPEvent | extend DeviceProduct = \"Digital Guardian Data Loss Prevention\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet Exabeam_Status = union isfuzzy=true empty_table_connector_status, ExabeamEvent | extend DeviceProduct = \"Exabeam Advanced Analytics\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet Forescout_Status = union isfuzzy=true empty_table_connector_status, ForescoutEvent | extend DeviceProduct = \"Forescout\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet GitLab_Status = union isfuzzy=true empty_table_connector_status, GitLabApp, GitLabAudit, GitLabAccess | extend DeviceProduct = \"GitLab\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet InfobloxNIOS_Status = union isfuzzy=true empty_table_connector_status, Infoblox | extend DeviceProduct = \"Infoblox NIOS\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet ISCBind_Status = union isfuzzy=true empty_table_connector_status, ISCBind | extend DeviceProduct = \"ISC Bind\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet IvantiUEM_Status = union isfuzzy=true empty_table_connector_status, IvantiUEMEvent | extend DeviceProduct = \"Ivanti Unified Endpoint Management\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet JuniperSRX_Status = union isfuzzy=true empty_table_connector_status, JuniperSRX | extend DeviceProduct = \"Juniper SRX\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet McAfeeePO_Status = union isfuzzy=true empty_table_connector_status, McAfeeEPOEvent | extend DeviceProduct = \"McAfee ePolicy Orchestrator (ePO)\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet McAfeeNSP_Status = union isfuzzy=true empty_table_connector_status, McAfeeNSPEvent | extend DeviceProduct = \"McAfee Network Security Platform\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet OpenVPN_Status = union isfuzzy=true empty_table_connector_status, OpenVpnEvent | extend DeviceProduct = \"OpenVPN Server\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet OracleDatabaseAudit_Status = union isfuzzy=true empty_table_connector_status, OracleDatabaseAuditEvent | extend DeviceProduct = \"Oracle Database Audit\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet PulseConnectSecure_Status = union isfuzzy=true empty_table_connector_status, PulseConnectSecure | extend DeviceProduct = \"Pulse Connect Secure\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet RSASecurIDAM_Status = union isfuzzy=true empty_table_connector_status, RSASecurIDAMEvent | extend DeviceProduct = \"RSA SecurID (Authentication Manager)\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SophosXGFirewall_Status = union isfuzzy=true empty_table_connector_status, SophosXGFirewall | extend DeviceProduct = \"Sophos XG Firewall\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SymantecEndpointProtection_Status = union isfuzzy=true empty_table_connector_status, SymantecEndpointProtection | extend DeviceProduct = \"Symantec Endpoint Protection\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SymantecVIP_Status = union isfuzzy=true empty_table_connector_status, SymantecVIP | extend DeviceProduct = \"Symantec VIP\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet MicrosoftSysmonForLinux_Status = union isfuzzy=true empty_table_connector_status, Syslog | where ProcessName == 'sysmon' | extend DeviceProduct = \"Microsoft Sysmon For Linux\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet VMwareESXi_Status = union isfuzzy=true empty_table_connector_status, VMwareESXi | extend DeviceProduct = \"VMware ESXi\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SymantecProxySG_Status = union isfuzzy=true empty_table_connector_status, SymantecProxySG | extend DeviceProduct = \"Symantec ProxySG\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet ESETPROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = \"ESET PROTECT\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet BarracudaCloudFirewall_Status = union isfuzzy=true empty_table_connector_status, CGFWFirewallActivity | extend DeviceProduct = \"Barracuda CloudGen Firewall\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet NasuniEdgeAppliance_Status = union isfuzzy=true empty_table_connector_status, Syslog | extend DeviceProduct = \"Nasuni Edge Appliance\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet WatchguardFirebox_Status = union isfuzzy=true empty_table_connector_status, WatchGuardFirebox | extend DeviceProduct = \"WatchGuard Firebox\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nunion isfuzzy=true empty_table_result, BlackberryCylancePROTECT_Status, CiscoACI_Status, CiscoISE_Status, Stealthwatch_Status, CiscoUCS_Status, CiscoWSA_Status, CitrixADC_Status, DigitalGuardianDLP_Status, Exabeam_Status, Forescout_Status, GitLab_Status, InfobloxNIOS_Status, ISCBind_Status, IvantiUEM_Status, JuniperSRX_Status, McAfeeePO_Status, OpenVPN_Status, OracleDatabaseAudit_Status, PulseConnectSecure_Status, RSASecurIDAM_Status, SophosXGFirewall_Status, SymantecEndpointProtection_Status, SymantecVIP_Status, MicrosoftSysmonForLinux_Status, VMwareESXi_Status, SymantecProxySG_Status, ESETPROTECT_Status, BarracudaCloudFirewall_Status, NasuniEdgeAppliance_Status, WatchguardFirebox_Status \n| extend EventCount = coalesce(EventCount, 0)\n| extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\")\n| join kind=fullouter known_syslog_supported_devices on DeviceProduct\n| extend DeviceProduct = coalesce(DeviceProduct, DeviceProduct1)\n| extend EventCount = coalesce(EventCount, 0)\n| extend ConnectionStatus = coalesce(ConnectionStatus, \"Not-Connected\")\n| extend OutofBoxSupport = iif(DeviceProduct in (known_syslog_supported_devices), \"Available\", \"Unavailable\")\n| project-away DeviceProduct1\n", - "functionParameters": "start:datetime=datetime(null),endTime:datetime=datetime(null)", + "functionParameters": "start:datetime=datetime(null),end:datetime=datetime(null)", "version": 2, "tags": [ { @@ -2511,7 +2511,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "SyslogConnectorsOverallStatus", "query": "let startTime = start;\nlet endTime = end;\nlet empty_table_result = datatable (DeviceProduct:string, EventCount:long, ConnectionStatus:string ) [];\nlet empty_table_connector_status = datatable (TimeGenerated:datetime, DeviceProduct:string, EventCount:long ) [];\nlet known_syslog_supported_devices = externaldata(DeviceProduct: string, ConnectorType:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/SyslogCEFConnectors.csv\"] with (format=\"csv\", ignoreFirstRecord=true) | where ConnectorType == \"Syslog\" | distinct DeviceProduct;\nlet BlackberryCylancePROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = \"Blackberry CylancePROTECT\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoACI_Status = union isfuzzy=true empty_table_connector_status, CiscoACIEvent | extend DeviceProduct = \"Cisco Application Centric Infrastructure\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoISE_Status = union isfuzzy=true empty_table_connector_status, CiscoISEEvent | extend DeviceProduct = \"Cisco Identity Services Engine\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet Stealthwatch_Status = union isfuzzy=true empty_table_connector_status, StealthwatchEvent | extend DeviceProduct = \"Cisco Secure Cloud Analytics\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoUCS_Status = union isfuzzy=true empty_table_connector_status, CiscoUCS | extend DeviceProduct = \"Cisco UCS\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CiscoWSA_Status = union isfuzzy=true empty_table_connector_status, CiscoWSAEvent | extend DeviceProduct = \"Cisco Web Security Appliance\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet CitrixADC_Status = union isfuzzy=true empty_table_connector_status, CitrixADCEvent | extend DeviceProduct = \"Citrix ADC (former NetScaler)\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet DigitalGuardianDLP_Status = union isfuzzy=true empty_table_connector_status, DigitalGuardianDLPEvent | extend DeviceProduct = \"Digital Guardian Data Loss Prevention\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet Exabeam_Status = union isfuzzy=true empty_table_connector_status, ExabeamEvent | extend DeviceProduct = \"Exabeam Advanced Analytics\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet Forescout_Status = union isfuzzy=true empty_table_connector_status, ForescoutEvent | extend DeviceProduct = \"Forescout\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet GitLab_Status = union isfuzzy=true empty_table_connector_status, GitLabApp, GitLabAudit, GitLabAccess | extend DeviceProduct = \"GitLab\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet InfobloxNIOS_Status = union isfuzzy=true empty_table_connector_status, Infoblox | extend DeviceProduct = \"Infoblox NIOS\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet ISCBind_Status = union isfuzzy=true empty_table_connector_status, ISCBind | extend DeviceProduct = \"ISC Bind\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet IvantiUEM_Status = union isfuzzy=true empty_table_connector_status, IvantiUEMEvent | extend DeviceProduct = \"Ivanti Unified Endpoint Management\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet JuniperSRX_Status = union isfuzzy=true empty_table_connector_status, JuniperSRX | extend DeviceProduct = \"Juniper SRX\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet McAfeeePO_Status = union isfuzzy=true empty_table_connector_status, McAfeeEPOEvent | extend DeviceProduct = \"McAfee ePolicy Orchestrator (ePO)\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet McAfeeNSP_Status = union isfuzzy=true empty_table_connector_status, McAfeeNSPEvent | extend DeviceProduct = \"McAfee Network Security Platform\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet OpenVPN_Status = union isfuzzy=true empty_table_connector_status, OpenVpnEvent | extend DeviceProduct = \"OpenVPN Server\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet OracleDatabaseAudit_Status = union isfuzzy=true empty_table_connector_status, OracleDatabaseAuditEvent | extend DeviceProduct = \"Oracle Database Audit\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet PulseConnectSecure_Status = union isfuzzy=true empty_table_connector_status, PulseConnectSecure | extend DeviceProduct = \"Pulse Connect Secure\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet RSASecurIDAM_Status = union isfuzzy=true empty_table_connector_status, RSASecurIDAMEvent | extend DeviceProduct = \"RSA SecurID (Authentication Manager)\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SophosXGFirewall_Status = union isfuzzy=true empty_table_connector_status, SophosXGFirewall | extend DeviceProduct = \"Sophos XG Firewall\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SymantecEndpointProtection_Status = union isfuzzy=true empty_table_connector_status, SymantecEndpointProtection | extend DeviceProduct = \"Symantec Endpoint Protection\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SymantecVIP_Status = union isfuzzy=true empty_table_connector_status, SymantecVIP | extend DeviceProduct = \"Symantec VIP\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet MicrosoftSysmonForLinux_Status = union isfuzzy=true empty_table_connector_status, Syslog | where ProcessName == 'sysmon' | extend DeviceProduct = \"Microsoft Sysmon For Linux\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet VMwareESXi_Status = union isfuzzy=true empty_table_connector_status, VMwareESXi | extend DeviceProduct = \"VMware ESXi\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet SymantecProxySG_Status = union isfuzzy=true empty_table_connector_status, SymantecProxySG | extend DeviceProduct = \"Symantec ProxySG\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet ESETPROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = \"ESET PROTECT\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet BarracudaCloudFirewall_Status = union isfuzzy=true empty_table_connector_status, CGFWFirewallActivity | extend DeviceProduct = \"Barracuda CloudGen Firewall\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet NasuniEdgeAppliance_Status = union isfuzzy=true empty_table_connector_status, Syslog | extend DeviceProduct = \"Nasuni Edge Appliance\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nlet WatchguardFirebox_Status = union isfuzzy=true empty_table_connector_status, WatchGuardFirebox | extend DeviceProduct = \"WatchGuard Firebox\" | where TimeGenerated between (startTime .. endTime) | summarize EventCount = count () by DeviceProduct | extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\");\nunion isfuzzy=true empty_table_result, BlackberryCylancePROTECT_Status, CiscoACI_Status, CiscoISE_Status, Stealthwatch_Status, CiscoUCS_Status, CiscoWSA_Status, CitrixADC_Status, DigitalGuardianDLP_Status, Exabeam_Status, Forescout_Status, GitLab_Status, InfobloxNIOS_Status, ISCBind_Status, IvantiUEM_Status, JuniperSRX_Status, McAfeeePO_Status, OpenVPN_Status, OracleDatabaseAudit_Status, PulseConnectSecure_Status, RSASecurIDAM_Status, SophosXGFirewall_Status, SymantecEndpointProtection_Status, SymantecVIP_Status, MicrosoftSysmonForLinux_Status, VMwareESXi_Status, SymantecProxySG_Status, ESETPROTECT_Status, BarracudaCloudFirewall_Status, NasuniEdgeAppliance_Status, WatchguardFirebox_Status \n| extend EventCount = coalesce(EventCount, 0)\n| extend ConnectionStatus = iff(EventCount > 0, \"Connected\", \"Not-Connected\")\n| join kind=fullouter known_syslog_supported_devices on DeviceProduct\n| extend DeviceProduct = coalesce(DeviceProduct, DeviceProduct1)\n| extend EventCount = coalesce(EventCount, 0)\n| extend ConnectionStatus = coalesce(ConnectionStatus, \"Not-Connected\")\n| extend OutofBoxSupport = iif(DeviceProduct in (known_syslog_supported_devices), \"Available\", \"Unavailable\")\n| project-away DeviceProduct1\n", - "functionParameters": "start:datetime=datetime(null),endTime:datetime=datetime(null)", + "functionParameters": "start:datetime=datetime(null),end:datetime=datetime(null)", "version": 2, "tags": [ { diff --git a/Solutions/Syslog/ReleaseNotes.md b/Solutions/Syslog/ReleaseNotes.md index 9649d817f0..a070085aed 100644 --- a/Solutions/Syslog/ReleaseNotes.md +++ b/Solutions/Syslog/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.6 | 01-08-2024 | updated **Analytic rules** for entity mappings | +| 3.0.6 | 01-08-2024 | Updated **Analytic rules** for entity mappings and parameter for parser function | | 3.0.5 | 16-07-2024 | Added 2 new Workspace Function **Parsers** and a new **Workbook** | | 3.0.4 | 27-06-2024 | Updated Connectivity criteria query for **Data Connector** | | 3.0.3 | 10-04-2024 | Updated Entity Mappings **Analytic Rule** FailedLogonAttempts_UnknownUser.yaml | diff --git a/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml b/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml index d7dff0f994..1e3244d958 100644 --- a/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml +++ b/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml @@ -10,7 +10,7 @@ FunctionParams: - Name: start Type: datetime Default: datetime(null) - - Name: endTime + - Name: end Type: datetime Default: datetime(null) FunctionQuery: |