diff --git a/DataConnectors/NXLogBSMmacOS.json b/DataConnectors/NXLogBSMmacOS.json new file mode 100644 index 0000000000..60b3b20e73 --- /dev/null +++ b/DataConnectors/NXLogBSMmacOS.json @@ -0,0 +1,95 @@ +{ + "id": "NXLogBSMmacOS", + "title": "NXLog BSM macOS", + "publisher": "NXLog", + "descriptionMarkdown": "The NXLog [BSM](https://nxlog.co/documentation/nxlog-user-guide/im_bsm.html) macOS data connector uses Sun’s Basic Security Module (BSM) Auditing API to read events directly from the kernel for capturing audit events on the macOS platform. This REST API connector can efficiently export macOS audit events to Azure Sentinel in real-time.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "BSMmacOS_CL", + "baseQuery": "BSMmacOS_CL" + } + ], + "sampleQueries": [ + { + "description" : "Most frequent event types", + "query": "BSMmacOS_CL\n| summarize EventCount = count() by EventType_s\n| where strlen(EventType_s) > 1\n| project Eventype = EventType_s, EventCount\n| order by EventCount desc\n| render barchart" + }, + { + "description" : "Most frequent event names", + "query": "BSMmacOS_CL\n| summarize EventCount = count() by EventName_s\n| project EventCount, EventName = EventName_s\n| where strlen(EventName) > 1\n| order by EventCount desc\n| render barchart" + }, + { + "description" : "Distribution of (notification) texts", + "query": "BSMmacOS_CL\n| summarize EventCount = count() by Text_s\n| where strlen(Text_s) > 1\n| order by EventCount\n| render piechart" + } + ], + "dataTypes": [ + { + "name": "BSMmacOS_CL", + "lastDataReceivedQuery": "BSMmacOS_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "BSMmacOS_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + } + ] +} diff --git a/Sample Data/Custom/BSMmacOS_CL.json b/Sample Data/Custom/BSMmacOS_CL.json new file mode 100644 index 0000000000..9d991beb27 --- /dev/null +++ b/Sample Data/Custom/BSMmacOS_CL.json @@ -0,0 +1,529 @@ +[ + { + "TokenVersion": "11", + "EventType": "AUE_auth_user", + "EventName": "user authentication", + "EventModifier": "", + "EventTime": "2021-01-06 21:20:50", + "SubjectAuditID": "ruser", + "SubjectUID": "ruser", + "SubjectGID": "staff", + "SubjectRealUID": "root", + "SubjectRealGID": "staff", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "Verify password for record type Users 'ruser' node '/Local/Default'", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.opendirectoryd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x4ab4c898fd4a994fd267ed1edeb21b9c9b5cb70f", + "TrailerCount": "198", + "EventReceivedTime": "2021-01-06T21:20:50.761144-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthorize", + "EventName": "SecSrvr AuthEngine", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:33", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "begin evaluation", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "138", + "EventReceivedTime": "2021-01-06T21:23:33.308356-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthorize", + "EventName": "SecSrvr AuthEngine", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:33", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "system.login.fus", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "158", + "EventReceivedTime": "2021-01-06T21:23:33.309622-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:33", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism builtin:smartcard-sniffer,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "188", + "EventReceivedTime": "2021-01-06T21:23:33.337214-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:38", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism loginwindow:login", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "169", + "EventReceivedTime": "2021-01-06T21:23:38.641095-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:38", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism builtin:reset-password,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "185", + "EventReceivedTime": "2021-01-06T21:23:38.646485-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:38", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism builtin:authenticate-nocred,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "190", + "EventReceivedTime": "2021-01-06T21:23:38.892300-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:39", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism loginwindow:success", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "171", + "EventReceivedTime": "2021-01-06T21:23:39.093626-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthorize", + "EventName": "SecSrvr AuthEngine", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:39", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "creator /System/Library/CoreServices/loginwindow.app", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "249", + "EventReceivedTime": "2021-01-06T21:23:39.287141-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthorize", + "EventName": "SecSrvr AuthEngine", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:39", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "159", + "SubjectSID": "100006", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:316", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "end evaluation", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "136", + "EventReceivedTime": "2021-01-06T21:23:39.290938-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthorize", + "EventName": "SecSrvr AuthEngine", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:39", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "1031", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2693", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "begin evaluation", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "138", + "EventReceivedTime": "2021-01-06T21:23:39.702351-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:40", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "1031", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2693", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism loginwindow:FDESupport,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "189", + "EventReceivedTime": "2021-01-06T21:23:40.520165-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:40", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "1031", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2693", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism builtin:forward-login,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "188", + "EventReceivedTime": "2021-01-06T21:23:40.526217-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:40", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "1031", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2693", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism PKINITMechanism:auth,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "187", + "EventReceivedTime": "2021-01-06T21:23:40.875058-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:41", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "1031", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2693", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism HomeDirMechanism:login,privileged", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "189", + "EventReceivedTime": "2021-01-06T21:23:41.105265-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthmech", + "EventName": "SecSrvr AuthMechanism", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:41", + "SubjectAuditID": "4294967295", + "SubjectUID": "root", + "SubjectGID": "wheel", + "SubjectRealUID": "root", + "SubjectRealGID": "wheel", + "SubjectPID": "1031", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2693", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "mechanism CryptoTokenKit:login", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "176", + "EventReceivedTime": "2021-01-06T21:23:41.467223-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + }, + { + "TokenVersion": "11", + "EventType": "AUE_ssauthorize", + "EventName": "SecSrvr AuthEngine", + "EventModifier": "", + "EventTime": "2021-01-06 21:23:43", + "SubjectAuditID": "ruser2", + "SubjectUID": "ruser2", + "SubjectGID": "staff", + "SubjectRealUID": "ruser2", + "SubjectRealGID": "staff", + "SubjectPID": "1045", + "SubjectSID": "100061", + "SubjectTerminal": "", + "SubjectTerminal.Port": "0:2740", + "SubjectTerminal.Host": "0.0.0.0", + "Text": "system.services.systemconfiguration.network", + "ReturnErrno": "success", + "ReturnRetval": "0", + "Identity": "", + "Identity.SignerType": "1", + "Identity.SignerId": "com.apple.authd", + "Identity.SignerIdTruncated": "0", + "Identity.TeamId": "", + "Identity.TeamIdTruncated": "0", + "Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c", + "TrailerCount": "212", + "EventReceivedTime": "2021-01-06T21:23:43.509730-08:00", + "SourceModuleName": "BSMmacOS", + "SourceModuleType": "im_bsm" + } +]