Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Package Created for OpenVpn

This commit is contained in:
v-spadarthi 2022-08-19 13:02:59 +05:30
Родитель 54370bb2e7
Коммит 867baa163d
6 изменённых файлов: 788 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Solutions/OpenVPN/Data Connectors/OpenVPN_Syslog.json
Просмотреть файл

@ -25,7 +25,7 @@
}],
"availability": {
"status": 1,
"isPreview": true
"isPreview": false
},
"permissions": {
"resourceProvider": [{

17
Solutions/OpenVPN/Data/Solution_OpenVpn.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "OpenVPN",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [OpenVPN](https://github.com/OpenVPN) solution for Microsoft Sentinel provides the capability to ingest OpenVPN Server logs into Microsoft Sentinel. These logs contain details and specifics about VPN connection activity.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog)\r\n\n",
"Data Connectors": [
"Data Connectors/OpenVPN_Syslog.json"
],
"Parsers": [
"Parsers/OpenVPNEvent.txt"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OpenVPN",
"Version": "2.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/OpenVPN/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

92
Solutions/OpenVPN/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [OpenVPN](https://github.com/OpenVPN) solution for Microsoft Sentinel provides the capability to ingest OpenVPN Server logs into Microsoft Sentinel. These logs contain details and specifics about VPN connection activity.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs a data connector that helps ingest OpenVPN logs into Microsoft Sentinel using Syslog. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the OpenVPNEvent Kusto Function alias."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

663
Solutions/OpenVPN/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,663 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for OpenVPN"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-openvpn",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "OpenVPN",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "OpenVPN",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"parserVersion1": "1.0.0",
"parserContentId1": "OpenVPNEvent-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "OpenVPNEvent",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "OpenVPN data connector with template",
"displayName": "OpenVPN template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "OpenVPN data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "OpenVPN Server",
"publisher": "OpenVPN",
"descriptionMarkdown": "The [OpenVPN](https://github.com/OpenVPN) data connector provides the capability to ingest OpenVPN Server logs into Microsoft Sentinel.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**OpenVpnEvent**](https://aka.ms/sentinel-openvpn-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "OpenVPN",
"baseQuery": "OpenVpnEvent"
}
],
"sampleQueries": [
{
"description": "Top 10 Sources",
"query": "OpenVpnEvent\n | summarize count() by tostring(SrcIpAddr)\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog(OpenVPN)",
"lastDataReceivedQuery": "OpenVpnEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"OpenVpnEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**OpenVpnEvent**](https://aka.ms/sentinel-openvpn-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "Install the agent on the Server where the OpenVPN are forwarded.\n\n> Logs from OpenVPN Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux or Windows"
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
],
"title": "2. Configure the logs to be collected"
},
{
"description": "OpenVPN server logs are written into common syslog file (depending on the Linux distribution used: e.g. /var/log/messages)",
"title": "3. Check your OpenVPN logs."
}
],
"metadata": {
"id": "67650481-6078-457a-9056-c5b7883fb9f9",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "solution"
},
"author": {
"name": "Microsoft"
},
"support": {
"name": "Microsoft",
"link": "https://support.microsoft.com/",
"tier": "Microsoft"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "OpenVPN",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "OpenVPN",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "OpenVPN Server",
"publisher": "OpenVPN",
"descriptionMarkdown": "The [OpenVPN](https://github.com/OpenVPN) data connector provides the capability to ingest OpenVPN Server logs into Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "OpenVPN",
"baseQuery": "OpenVpnEvent"
}
],
"dataTypes": [
{
"name": "Syslog(OpenVPN)",
"lastDataReceivedQuery": "OpenVpnEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"OpenVpnEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Top 10 Sources",
"query": "OpenVpnEvent\n | summarize count() by tostring(SrcIpAddr)\n | top 10 by count_"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**OpenVpnEvent**](https://aka.ms/sentinel-openvpn-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "Install the agent on the Server where the OpenVPN are forwarded.\n\n> Logs from OpenVPN Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux or Windows"
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
],
"title": "2. Configure the logs to be collected"
},
{
"description": "OpenVPN server logs are written into common syslog file (depending on the Linux distribution used: e.g. /var/log/messages)",
"title": "3. Check your OpenVPN logs."
}
],
"id": "[variables('_uiConfigId1')]",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**OpenVpnEvent**](https://aka.ms/sentinel-openvpn-parser) which is deployed with the Microsoft Sentinel Solution."
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "OpenVPNEvent Data Parser with template",
"displayName": "OpenVPNEvent Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "OpenVPNEvent Data Parser with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "OpenVPNEvent",
"category": "Samples",
"functionAlias": "OpenVPNEvent",
"query": "\nlet EventData = Syslog\r\n| where ProcessName == \"openvpn\"\r\n| extend EventVendor = \"OpenVPN\"\r\n ,EventProduct = \"OpenVPN\"\r\n ,EventCount = int(1)\r\n| project-rename EventSeverity=SeverityLevel\r\n;\r\nlet ovpn_t1 = EventData\r\n| where SyslogMessage matches regex @\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\"\r\n| extend SrcUsername = extract(@\"\\A(\\w+)/\", 1, SyslogMessage)\r\n ,SrcIpAddr = extract(@\"\\A\\w+/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)\r\n ,SrcPortNumber = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:(\\d{1,5})\", 1, SyslogMessage)\r\n ,EventType = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\\s+(.*?)[:,]\", 1, SyslogMessage)\r\n ,EventMessage = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\s+(.*?)[:,]\\s+(.*)\", 2, SyslogMessage)\r\n| project-away SyslogMessage\r\n;\r\nlet ovpn_t2 = EventData\r\n| where SyslogMessage matches regex @\"\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\"\r\n| extend SrcIpAddr = extract(@\"\\A(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)\r\n ,SrcPortNumber = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:(\\d{1,5})\", 1, SyslogMessage)\r\n ,EventType = extract(@\"\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\\s+(.*?)[:,]\", 1, SyslogMessage)\r\n ,EventMessage = extract(@\"\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\\s+(.*?)[:,]\\s+(.*)\", 2, SyslogMessage)\r\n| project-away SyslogMessage\r\n;\r\nunion isfuzzy=false ovpn_t1, ovpn_t2",
"version": 1,
"tags": [
{
"name": "description",
"value": "OpenVPNEvent"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"name": "OpenVPN",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "OpenVPNEvent",
"category": "Samples",
"functionAlias": "OpenVPNEvent",
"query": "\nlet EventData = Syslog\r\n| where ProcessName == \"openvpn\"\r\n| extend EventVendor = \"OpenVPN\"\r\n ,EventProduct = \"OpenVPN\"\r\n ,EventCount = int(1)\r\n| project-rename EventSeverity=SeverityLevel\r\n;\r\nlet ovpn_t1 = EventData\r\n| where SyslogMessage matches regex @\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\"\r\n| extend SrcUsername = extract(@\"\\A(\\w+)/\", 1, SyslogMessage)\r\n ,SrcIpAddr = extract(@\"\\A\\w+/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)\r\n ,SrcPortNumber = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:(\\d{1,5})\", 1, SyslogMessage)\r\n ,EventType = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\\s+(.*?)[:,]\", 1, SyslogMessage)\r\n ,EventMessage = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\s+(.*?)[:,]\\s+(.*)\", 2, SyslogMessage)\r\n| project-away SyslogMessage\r\n;\r\nlet ovpn_t2 = EventData\r\n| where SyslogMessage matches regex @\"\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\"\r\n| extend SrcIpAddr = extract(@\"\\A(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)\r\n ,SrcPortNumber = extract(@\"\\A\\w+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:(\\d{1,5})\", 1, SyslogMessage)\r\n ,EventType = extract(@\"\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\\s+(.*?)[:,]\", 1, SyslogMessage)\r\n ,EventMessage = extract(@\"\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}\\s+(.*?)[:,]\\s+(.*)\", 2, SyslogMessage)\r\n| project-away SyslogMessage\r\n;\r\nunion isfuzzy=false ovpn_t1, ovpn_t2",
"version": 1
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"kind": "Solution",
"name": "OpenVPN",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "OpenVPN",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
}
]
},
"firstPublishDate": "2022-08-18",
"providers": [
"OpenVPN"
],
"categories": {
"domains": [
"Networking"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

15
Solutions/OpenVPN/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-openvpn",
"firstPublishDate": "2022-08-18",
"providers": ["OpenVPN"],
"categories": {
"domains" : ["Networking"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}