diff --git a/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json b/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json new file mode 100644 index 0000000000..4d7ffc30a2 --- /dev/null +++ b/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json @@ -0,0 +1,98 @@ +{ + "id": "NXLogDnsLogs", + "title": "NXLog DNS Logs", + "publisher": "NXLog", + "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Azure Sentinel in real time.", + "additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities. The other fucntions, [**NXLog_parsed_DNS_Server_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt), [**NXLog_parsed_DNS_Audit_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt), and [**NXLog_parsed_DNS_Analytical_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt) are designed to work with custom analytics that use the NXLog schema for Windows DNS Server events.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "NXLog_parsed_DNS_Server_ASim_view", + "baseQuery": "NXLog_parsed_DNS_Server_ASim_view" + } + ], + "sampleQueries": [ + { + "description" : "", + "query": "" + }, + { + "description" : "", + "query" : "" + } + ], + "dataTypes": [ + { + "name": "NXLog_parsed_DNS_Server_ASim_view", + "lastDataReceivedQuery": "NXLog_parsed_DNS_Server_ASim_view | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "NXLog_parsed_DNS_Server_ASim_view | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities. The other fucntions, [**NXLog_parsed_DNS_Server_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt), [**NXLog_parsed_DNS_Audit_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt), and [**NXLog_parsed_DNS_Analytical_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt) are designed to work with custom analytics that use the NXLog schema for Windows DNS Server events.", + "instructions": [ + ] + }, + { + "title": "", + "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + } + ] +} diff --git a/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt new file mode 100644 index 0000000000..e304445766 --- /dev/null +++ b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt @@ -0,0 +1,79 @@ +// Usage Instructions: +// Paste the query below into the Log Analytics query editor. +// Click the "Save" button and select "Save as function". +// Enter "NXLog_parsed_DNS_Analytical_view" in the "Function name" field. +// For "Legacy category:" enter "DNS Server logs". +// "Paramters" are not needed. +// Function usually takes 10-15 minutes to activate. +// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Analytical_view | take 10). +// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let NXLog_parsed_DNS_Analytical_view = view () { + DNS_Server_CL + | where EventID_d < 281 + | project-rename + AA=AA_s, + AccountName=AccountName_s, + AccountType=AccountType_s, + AD=AD_s, + AdditionalInfo=AdditionalInfo_s, + BufferSize=BufferSize_s, + CacheScope=CacheScope_s, + ChannelID=ChannelID_d, + CustomLogName=Type, + Destination=Destination_s, + DNSSEC=DNSSEC_s, + Domain=Domain_s, + ElapsedTime=ElapsedTime_s, + EventReceivedTime=EventReceivedTime_t, + EventID=EventID_d, + EventTime=EventTime_t, + EventType=EventType_s, + ExecutionProcessID=ExecutionProcessID_d, + ExecutionThreadID=ExecutionThreadID_d, + FilePath=FilePath_s, + Flags=Flags_s, + GUID=GUID_g, + Hostname=Hostname_s, + InterfaceIP=InterfaceIP_s, + Keywords=Keywords_s, + Lookup=Lookup_s, + NAME=NAME_s, + Name=Name_s, + NewValue=NewValue_s, + OpcodeValue=OpcodeValue_d, + PacketData=PacketData_s, + PolicyName=PolicyName_s, + Port=Port_s, + PropertyKey=PropertyKey_s, + ProviderGuid=ProviderGuid_g, + QNAME=QNAME_s, + QTYPE=QTYPE_s, + QXID=QXID_s, + RCODE=RCODE_s, + RD=RD_s, + RDATA=RDATA_s, + Reason=Reason_s, + RecursionDepth=RecursionDepth_s, + RecursionScope=RecursionScope_s, + ReplicationScope=ReplicationScope_s, + Scope=Scope_s, + Severity=Severity_s, + SeverityValue=SeverityValue_d, + Source=Source_s, + SourceModuleName=SourceModuleName_s, + SourceModuleType=SourceModuleType_s, + SourceName=SourceName_s, + TaskValue=TaskValue_d, + TCP=TCP_s, + TTL=TTL_s, + UserID=UserID_s, + Version=Version_d, + VirtualizationID=VirtualizationID_s, + XID=XID_s, + Zone=Zone_s, + ZoneFile=ZoneFile_s, + ZoneScope=ZoneScope_s + | project-rename + Type=Type_s +}; +NXLog_parsed_DNS_Analytical_view(); \ No newline at end of file diff --git a/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt new file mode 100644 index 0000000000..2d4f1282b1 --- /dev/null +++ b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt @@ -0,0 +1,79 @@ +// Usage Instructions: +// Paste the query below into the Log Analytics query editor. +// Click the "Save" button and select "Save as function". +// Enter "NXLog_parsed_DNS_Audit_view" in the "Function name" field. +// For "Legacy category:" enter "DNS Server logs". +// "Paramters" are not needed. +// Function usually takes 10-15 minutes to activate. +// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Audit_view | take 10). +// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let NXLog_parsed_DNS_Audit_view = view () { + DNS_Server_CL + | where EventID_d > 511 + | project-rename + AA=AA_s, + AccountName=AccountName_s, + AccountType=AccountType_s, + AD=AD_s, + AdditionalInfo=AdditionalInfo_s, + BufferSize=BufferSize_s, + CacheScope=CacheScope_s, + ChannelID=ChannelID_d, + CustomLogName=Type, + Destination=Destination_s, + DNSSEC=DNSSEC_s, + Domain=Domain_s, + ElapsedTime=ElapsedTime_s, + EventReceivedTime=EventReceivedTime_t, + EventID=EventID_d, + EventTime=EventTime_t, + EventType=EventType_s, + ExecutionProcessID=ExecutionProcessID_d, + ExecutionThreadID=ExecutionThreadID_d, + FilePath=FilePath_s, + Flags=Flags_s, + GUID=GUID_g, + Hostname=Hostname_s, + InterfaceIP=InterfaceIP_s, + Keywords=Keywords_s, + Lookup=Lookup_s, + NAME=NAME_s, + Name=Name_s, + NewValue=NewValue_s, + OpcodeValue=OpcodeValue_d, + PacketData=PacketData_s, + PolicyName=PolicyName_s, + Port=Port_s, + PropertyKey=PropertyKey_s, + ProviderGuid=ProviderGuid_g, + QNAME=QNAME_s, + QTYPE=QTYPE_s, + QXID=QXID_s, + RCODE=RCODE_s, + RD=RD_s, + RDATA=RDATA_s, + Reason=Reason_s, + RecursionDepth=RecursionDepth_s, + RecursionScope=RecursionScope_s, + ReplicationScope=ReplicationScope_s, + Scope=Scope_s, + Severity=Severity_s, + SeverityValue=SeverityValue_d, + Source=Source_s, + SourceModuleName=SourceModuleName_s, + SourceModuleType=SourceModuleType_s, + SourceName=SourceName_s, + TaskValue=TaskValue_d, + TCP=TCP_s, + TTL=TTL_s, + UserID=UserID_s, + Version=Version_d, + VirtualizationID=VirtualizationID_s, + XID=XID_s, + Zone=Zone_s, + ZoneFile=ZoneFile_s, + ZoneScope=ZoneScope_s + | project-rename + Type=Type_s +}; +NXLog_parsed_DNS_Audit_view(); \ No newline at end of file diff --git a/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt new file mode 100644 index 0000000000..b3013a2384 --- /dev/null +++ b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt @@ -0,0 +1,235 @@ +// Usage Instructions: +// Paste the query below into the Log Analytics query editor. +// Click the "Save" button and select "Save as function". +// Enter "NXLog_parsed_AIX_Audit_view" in the "Function name" field. +// For "Legacy category:" enter "AIX Security Audit". +// "Paramters" are not needed. +// Function usually takes 10-15 minutes to activate. +// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Server_ASim_view | take 10). +// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let NXLog_parsed_DNS_Server_ASim_view = view () { + let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[ + 256, 'Query' + , 257, 'Query' + , 258, 'Query' + , 259, 'Query' + , 260, 'Query' + , 261, 'Query' + , 262, 'Query' + , 263, 'Dynamic update' + , 264, 'Dynamic update' + , 265, 'Zone XFR' + , 266, 'Zone XFR' + , 267, 'Zone XFR' + , 268, 'Zone XFR' + , 269, 'Zone XFR' + , 270, 'Zone XFR' + , 271, 'Zone XFR' + , 272, 'Zone XFR' + , 273, 'Zone XFR' + , 274, 'Zone XFR' + , 275, 'Zone XFR' + , 276, 'Zone XFR' + , 277, 'Dynamic update' + , 278, 'Dynamic update' + , 279, 'Query' + , 280, 'Query' + ]; + let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[ + 256, 'request' + , 257, 'response' + , 258, 'response' + , 259, 'response' + , 260, 'request' + , 261, 'response' + , 262, 'request' + , 263, 'response' + , 264, 'response' + , 265, 'request' + , 266, 'request' + , 267, 'response' + , 268, 'response' + , 269, 'request' + , 270, 'request' + , 271, 'response' + , 272, 'response' + , 273, 'response' + , 274, 'response' + , 275, 'response' + , 276, 'response' + , 277, 'response' + , 278, 'response' + , 279, 'request' + , 280, 'request' + ]; + let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[ + 256, 'NA' + , 257, 'Success' + , 258, 'Failure' + , 259, 'Failure' + , 260, 'NA' + , 261, 'Success' + , 262, 'Failure' + , 263, 'Success' + , 264, 'Success' + , 265, 'NA' + , 266, 'NA' + , 267, 'Success' + , 268, 'Success' + , 269, 'NA' + , 270, 'NA' + , 271, 'Success' + , 272, 'Success' + , 273, 'Success' + , 274, 'Success' + , 275, 'Success' + , 276, 'Success' + , 277, 'Success' + , 278, 'Success' + , 279, 'NA' + , 280, 'NA' + ]; + let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[ + 0, 'NOERROR' + , 1, 'FORMERR' + , 2,'SERVFAIL' + , 3,'NXDOMAIN' + , 4,'NOTIMP' + , 5,'REFUSED' + , 6,'YXDOMAIN' + , 7,'YXRRSET' + , 8,'NXRRSET' + , 9,'NOTAUTH' + , 10,'NOTZONE' + , 11,'DSOTYPENI' + , 16,'BADVERS' + , 16,'BADSIG' + , 17,'BADKEY' + , 18,'BADTIME' + , 19,'BADMODE' + , 20,'BADNAME' + , 21,'BADALG' + , 22,'BADTRUNC' + , 23,'BADCOOKIE' + ]; + let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[ + 0, 'Reserved' + , 1, 'A' + , 2, 'NS' + , 3, 'MD' + , 4, 'MF' + , 5, 'CNAME' + , 6, 'SOA' + , 7, 'MB' + , 8 ,'MG' + , 9 ,'MR' + , 10,'NULL' + , 11,'WKS' + , 12,'PTR' + , 13,'HINFO' + , 14,'MINFO' + , 15,'MX' + , 16,'TXT' + , 17,'RP' + , 18,'AFSDB' + , 19,'X25' + , 20,'ISDN' + , 21,'RT' + , 22,'NSAP' + , 23,'NSAP-PTR' + , 24,'SIG' + , 25,'KEY' + , 26,'PX' + , 27,'GPOS' + , 28,'AAAA' + , 29,'LOC' + , 30,'NXT' + , 31,'EID' + , 32,'NIMLOC' + , 33,'SRV' + ]; + DNS_Server_CL + | where EventID_d < 281 + | project-rename + DnsFlags=Flags_s, + DnsQuery=QNAME_s, + DnsQueryType=QTYPE_s, + DnsResponseCode=RCODE_s, + DnsResponseName=PacketData_s, + Dvc=Hostname_s, + DvcIpAddr=InterfaceIP_s, + EventOriginalType=EventID_d, + EventOriginalUid=GUID_g, + EventStartTime=EventTime_t, + SrcPortNumber=Port_s, + SrcIpAddr=Source_s + | extend + DnsQuery=trim_end(".",DnsQuery), + DnsQueryType=toint(DnsQueryType), + DnsResponseCode=toint(DnsResponseCode), + DvcHostname=Dvc, + EventEndTime=EventStartTime, + EventProduct="Microsoft DNS Server", + EventSchemaVersion="0.1.1", + EventVendor="Microsoft", + NetworkProtocol=iff(TCP_s == "0","UDP","TCP"), + TransactionIdHex=tohex(toint(XID_s)) + | lookup EventTypeTable on EventOriginalType + | lookup EventSubTypeTable on EventOriginalType + | lookup EventResultTable on EventOriginalType + | lookup RCodeTable on DnsResponseCode + | lookup QTypeTable on DnsQueryType + | extend + EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName + , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use' + , 'Unassigned') + | extend + Domain=DnsQuery, + DnsResponseCodeName=EventResultDetails, + DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName + , DnsQueryType between (66 .. 98), 'Unassigned' + , DnsQueryType between (110 .. 248), 'Unassigned' + , DnsQueryType between (261 .. 32767), 'Unassigned' + , 'Unassigned'), + EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult) + | project-away + AA_s, + AD_s, + AdditionalInfo_s, + BufferSize_s, + AccountName_s, + AccountType_s, + CacheScope_s, + ChannelID_d, + Destination_s, + DNSSEC_s, + Domain_s, + ElapsedTime_s, + EventReceivedTime_t, + EventType_s, + ExecutionProcessID_d, + ExecutionThreadID_d, + Keywords_s, + OpcodeValue_d, + PolicyName_s, + ProviderGuid_g, + QXID_s, + RD_s, + Reason_s, + RecursionDepth_s, + RecursionScope_s, + ResponseCodeName, + Scope_s, + Severity_s, + SeverityValue_d, + SourceModuleName_s, + SourceModuleType_s, + SourceName_s, + TaskValue_d, + TCP_s, + UserID_s, + Version_d, + XID_s, + Zone_s +}; +NXLog_parsed_DNS_Server_ASim_view(); \ No newline at end of file diff --git a/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt new file mode 100644 index 0000000000..1cb313a12c --- /dev/null +++ b/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt @@ -0,0 +1,78 @@ +// Usage Instructions: +// Paste the query below into the Log Analytics query editor. +// Click the "Save" button and select "Save as function". +// Enter "NXLog_parsed_DNS_Server_view" in the "Function name" field. +// For "Legacy category:" enter "DNS Server logs". +// "Paramters" are not needed. +// Function usually takes 10-15 minutes to activate. +// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Server_view | take 10). +// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let NXLog_parsed_DNS_Server_view = view () { + DNS_Server_CL + | project-rename + AA=AA_s, + AccountName=AccountName_s, + AccountType=AccountType_s, + AD=AD_s, + AdditionalInfo=AdditionalInfo_s, + BufferSize=BufferSize_s, + CacheScope=CacheScope_s, + ChannelID=ChannelID_d, + CustomLogName=Type, + Destination=Destination_s, + DNSSEC=DNSSEC_s, + Domain=Domain_s, + ElapsedTime=ElapsedTime_s, + EventReceivedTime=EventReceivedTime_t, + EventID=EventID_d, + EventTime=EventTime_t, + EventType=EventType_s, + ExecutionProcessID=ExecutionProcessID_d, + ExecutionThreadID=ExecutionThreadID_d, + FilePath=FilePath_s, + Flags=Flags_s, + GUID=GUID_g, + Hostname=Hostname_s, + InterfaceIP=InterfaceIP_s, + Keywords=Keywords_s, + Lookup=Lookup_s, + NAME=NAME_s, + Name=Name_s, + NewValue=NewValue_s, + OpcodeValue=OpcodeValue_d, + PacketData=PacketData_s, + PolicyName=PolicyName_s, + Port=Port_s, + PropertyKey=PropertyKey_s, + ProviderGuid=ProviderGuid_g, + QNAME=QNAME_s, + QTYPE=QTYPE_s, + QXID=QXID_s, + RCODE=RCODE_s, + RD=RD_s, + RDATA=RDATA_s, + Reason=Reason_s, + RecursionDepth=RecursionDepth_s, + RecursionScope=RecursionScope_s, + ReplicationScope=ReplicationScope_s, + Scope=Scope_s, + Severity=Severity_s, + SeverityValue=SeverityValue_d, + Source=Source_s, + SourceModuleName=SourceModuleName_s, + SourceModuleType=SourceModuleType_s, + SourceName=SourceName_s, + TaskValue=TaskValue_d, + TCP=TCP_s, + TTL=TTL_s, + UserID=UserID_s, + Version=Version_d, + VirtualizationID=VirtualizationID_s, + XID=XID_s, + Zone=Zone_s, + ZoneFile=ZoneFile_s, + ZoneScope=ZoneScope_s + | project-rename + Type=Type_s +}; +NXLog_parsed_DNS_Server_view(); \ No newline at end of file