Fixing bugs for Gitlab and sophos XG
This commit is contained in:
v-sabiraj
Родитель
fb76e1aea0
Коммит
86b4938459
|
|
@ -1,5 +1,5 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|----------------------------------------------------------------------------|
|
||||
| 3.0.0 | 07-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |
|
||||
| 3.0.0 | 07-11-2023 | Modifying text as there is rebranding from Azure Active Directory to Microsoft Entra ID |
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,124 +1,123 @@
|
|||
{
|
||||
{
|
||||
"id": "SophosXGFirewall",
|
||||
"title": "Sophos XG Firewall",
|
||||
"publisher": "Sophos",
|
||||
"descriptionMarkdown": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall.aspx) allows you to easily connect your Sophos XG Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Microsoft Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities.",
|
||||
"additionalRequirementBanner":"These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "Sophos",
|
||||
"baseQuery": "SophosXGFirewall"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description" : "Top 10 Denied Source IPs",
|
||||
"query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Src_IP \n| top 10 by count_"
|
||||
"title": "Sophos XG Firewall",
|
||||
"publisher": "Sophos",
|
||||
"descriptionMarkdown": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall.aspx) allows you to easily connect your Sophos XG Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Microsoft Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities.",
|
||||
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "Sophos",
|
||||
"baseQuery": "SophosXGFirewall"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Top 10 Denied Source IPs",
|
||||
"query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Src_IP \n| top 10 by count_"
|
||||
},
|
||||
{
|
||||
"description" : "Top 10 Denied Destination IPs",
|
||||
"query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Dst_IP \n| top 10 by count_"
|
||||
"description": "Top 10 Denied Destination IPs",
|
||||
"query": "SophosXGFirewall \n| where Log_Type == \"Firewall\" and Status == \"Deny\" \n| summarize count() by Dst_IP \n| top 10 by count_"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "Syslog (SophosXGFirewall)",
|
||||
"lastDataReceivedQuery": "SophosXGFirewall \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"SophosXGFirewall \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "write permission is required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"customs": [
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "Sophos XG Firewall",
|
||||
"description": "must be configured to export logs via Syslog"
|
||||
"name": "Syslog (SophosXGFirewall)",
|
||||
"lastDataReceivedQuery": "SophosXGFirewall \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "",
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"SophosXGFirewall \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "write permission is required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"customs": [
|
||||
{
|
||||
"name": "Sophos XG Firewall",
|
||||
"description": "must be configured to export logs via Syslog"
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "",
|
||||
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Sophos XG Firewall and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20XG%20Firewall/Parsers/SophosXGFirewall.txt), on the second line of the query, enter the hostname(s) of your Sophos XG Firewall device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
|
||||
"instructions": [
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "1. Install and onboard the agent for Linux",
|
||||
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"title": "Choose where to install the agent:",
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "Install agent on Azure Linux Virtual Machine",
|
||||
"description": "Select the machine to install the agent on and then click **Connect**.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "InstallAgentOnLinuxVirtualMachine"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "Install agent on a non-Azure Linux Machine",
|
||||
"description": "Download the agent on the relevant machine and follow the instructions.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "InstallAgentOnLinuxNonAzure"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "InstructionStepsGroup"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "2. Configure the logs to be collected",
|
||||
"instructions": []
|
||||
},
|
||||
{
|
||||
"title": "1. Install and onboard the agent for Linux",
|
||||
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"title": "Choose where to install the agent:",
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "Install agent on Azure Linux Virtual Machine",
|
||||
"description": "Select the machine to install the agent on and then click **Connect**.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "InstallAgentOnLinuxVirtualMachine"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "Install agent on a non-Azure Linux Machine",
|
||||
"description": "Download the agent on the relevant machine and follow the instructions.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "InstallAgentOnLinuxNonAzure"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "InstructionStepsGroup"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "2. Configure the logs to be collected",
|
||||
"description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"parameters": {
|
||||
"linkType": "OpenSyslogSettings"
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "3. Configure and connect the Sophos XG Firewall",
|
||||
"description":"[Follow these instructions](https://community.sophos.com/kb/123184#How%20to%20configure%20the%20Syslog%20Server) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
|
||||
}
|
||||
]
|
||||
}
|
||||
{
|
||||
"title": "3. Configure and connect the Sophos XG Firewall",
|
||||
"description": "[Follow these instructions](https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2,23 +2,23 @@
|
|||
"Name": "Sophos XG Firewall",
|
||||
"Author": "SophosXGFirewall",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sophos_logo.svg\"width=\"75px\"height=\"75px\">",
|
||||
"Description": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall) solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.\n \n **Underlying Microsoft Technologies used:** \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n \n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
|
||||
"Data Connectors": [
|
||||
"Description": "The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall) solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel.\n \n **Underlying Microsoft Technologies used:** \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n \n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
|
||||
"Data Connectors": [
|
||||
"Data Connectors/Connector_Syslog_SophosXGFirewall.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml",
|
||||
"Analytic Rules/PortScanDetected.yaml"
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml",
|
||||
"Analytic Rules/PortScanDetected.yaml"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Workbooks/SophosXGFirewall.json"
|
||||
"Workbooks/SophosXGFirewall.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/SophosXGFirewall.txt"
|
||||
"Parsers/SophosXGFirewall.yaml"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Sophos XG Firewall",
|
||||
"Version": "2.0.1",
|
||||
"Version": "3.0.0",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
}
|
||||
}
|
||||
Двоичные данные
Solutions/Sophos XG Firewall/Package/2.0.1.zip
Двоичные данные
Solutions/Sophos XG Firewall/Package/2.0.1.zip
Двоичный файл не отображается.
Двоичный файл не отображается.
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": "Sophos XG Firewall",
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче