Merge branch 'master' into v-rusraut/CustomSolnOMSMigration

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -246,5 +246,6 @@
   "CefAma",
   "WindowsFirewallAma",
   "1Password",
-  "RadiflowIsid"
+  "RadiflowIsid",
+  "CustomLogsAma"
 ]

DataConnectors/O365 Data/readme.md

@@ -10,7 +10,7 @@ The Office 365 data connector in Azure Sentinel supports ongoing user and admin
 
 | Content Type | Description | Azure Sentinel Mapping |
 | ------------ | ----------- | ---------------------- |
-| Audit.AzureActiveDirectory | Azure Active Directory logs that’s relates to Office 365 only | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
+| Audit.AzureActiveDirectory | Microsoft Entra ID logs that’s relates to Office 365 only | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
 | Audit.Exchange | User and Admin Activities in Exchange Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
 | Audit.SharePoint | User and Admin Activities in SharePoint Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
 | Audit.General | Includes all other workloads not included in the previous content types | Not supported with the default connector for Office 365 in Azure Sentinel |

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md

@@ -1,5 +1,8 @@
-## 1.0.0
+## 1.1.3
-* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.
+* Replace the library rest-client used for connecting with Azure to excon.
+
+## 1.1.1
+* Support China and US Government Azure sovereign clouds.
 
 ## 1.1.0 
 * Increase timeout for read/open connections to 120 seconds.
@@ -9,6 +12,5 @@
 * Upgrade version for ingestion api to 2023-01-01.
 * Rename the plugin to microsoft-sentinel-log-analytics-logstash-output-plugin.
 
-## 1.1.1
+## 1.0.0
-* Support China and US Government Azure sovereign clouds.
+* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.
-* Increase timeout for read/open connections to 240 seconds.

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md

@@ -27,7 +27,7 @@ If you do not have a direct internet connection, you can install the plugin to a
 Microsoft Sentinel's Logstash output plugin supports the following versions
 - 7.0 - 7.17.13
 - 8.0 - 8.9
-- 8.11 - 8.13
+- 8.11 - 8.14
 
 Please note that when using Logstash 8, it is recommended to disable ECS in the pipeline. For more information refer to [Logstash documentation.](<https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html>)
 

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb

@@ -1,10 +1,10 @@
 # encoding: utf-8
 require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
-require 'rest-client'
 require 'json'
 require 'openssl'
 require 'base64'
 require 'time'
+require 'excon'
 
 module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
 class LogAnalyticsAadTokenProvider
@@ -64,14 +64,13 @@ class LogAnalyticsAadTokenProvider
     while true
       begin
         # Post REST request 
-        response = RestClient::Request.execute(method: :post, url: @token_request_uri, payload: @token_request_body, headers: headers,
+        response = Excon.post(@token_request_uri, :body => @token_request_body, :headers => headers, :proxy => @logstashLoganalyticsConfiguration.proxy_aad, expects: [200, 201])
-                                              proxy: @logstashLoganalyticsConfiguration.proxy_aad)
 
-        if (response.code == 200 || response.code == 201)
+        if (response.status == 200 || response.status == 201)
           return JSON.parse(response.body)
         end
-      rescue RestClient::ExceptionWithResponse => ewr
+      rescue Excon::Error::HTTPStatus => ex
-        @logger.error("Exception while authenticating with AAD API ['#{ewr.response}']")          
+        @logger.error("Error while authenticating with AAD [#{ex.class}: '#{ex.response.status}', Response: '#{ex.response.body}']")
       rescue Exception => ex          
         @logger.trace("Exception while authenticating with AAD API ['#{ex}']")
       end

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsClient.rb

@@ -1,11 +1,11 @@
 # encoding: utf-8
 require "logstash/sentinel_la/version"
-require 'rest-client'
 require 'json'
 require 'openssl'
 require 'base64'
 require 'time'
 require 'rbconfig'
+require 'excon'
 
 module LogStash; module Outputs; class MicrosoftSentinelOutputInternal 
 class LogAnalyticsClient
@@ -22,28 +22,78 @@ require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
     @uri = sprintf("%s/dataCollectionRules/%s/streams/%s?api-version=%s",@logstashLoganalyticsConfiguration.data_collection_endpoint, @logstashLoganalyticsConfiguration.dcr_immutable_id, logstashLoganalyticsConfiguration.dcr_stream_name, la_api_version)
     @aadTokenProvider=LogAnalyticsAadTokenProvider::new(logstashLoganalyticsConfiguration)
     @userAgent = getUserAgent()
+    
+    # Auto close connection after 60 seconds of inactivity
+    @connectionAutoClose = {
+      :last_use => Time.now,
+      :lock => Mutex.new,
+      :max_idel_time => 60,
+      :is_closed => true
+    }
+
+    @timer = Thread.new do
+      loop do
+        sleep @connectionAutoClose[:max_idel_time] / 2
+        if is_connection_stale?
+          @connectionAutoClose[:lock].synchronize do
+            if is_connection_stale?
+              reset_connection
+            end
+          end
+        end
+      end
+    end
+
+   
   end # def initialize
 
   # Post the given json to Azure Loganalytics
   def post_data(body)
     raise ConfigError, 'no json_records' if body.empty?
+    response = nil
+    
+    @connectionAutoClose[:lock].synchronize do 
+      #close connection if its stale
+      if is_connection_stale?
+        reset_connection
+      end
+      if @connectionAutoClose[:is_closed]
+        open_connection
+      end
       
-    # Create REST request header
       headers = get_header()
-
       # Post REST request
+      response = @connection.request(method: :post, body: body, headers: headers)
+      @connectionAutoClose[:is_closed] = false
+      @connectionAutoClose[:last_use] = Time.now
+    end
+    return response
 
-    return RestClient::Request.execute(method: :post, url: @uri, payload: body, headers: headers,
-                                        proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout: 240)
   end # def post_data
 
   # Static function to return if the response is OK or else
   def self.is_successfully_posted(response)
-    return (response.code >= 200 && response.code < 300 ) ? true : false
+    return (response.status >= 200 && response.status < 300 ) ? true : false
   end # def self.is_successfully_posted
 
   private 
 
+  def open_connection
+    @connection = Excon.new(@uri, :persistent => true, :proxy => @logstashLoganalyticsConfiguration.proxy_endpoint, 
+          expects: [200, 201, 202, 204, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
+          read_timeout: 240, write_timeout: 240, connect_timeout: 240)
+    @logger.trace("Connection to Azure LogAnalytics was opened.");
+  end
+
+  def reset_connection
+    @connection.reset
+    @connectionAutoClose[:is_closed] = true    
+    @logger.trace("Connection to Azure LogAnalytics was closed due to inactivity.");
+  end
+
+  def is_connection_stale?
+    return Time.now - @connectionAutoClose[:last_use] > @connectionAutoClose[:max_idel_time] && !@connectionAutoClose[:is_closed]
+  end
   # Create a header for the given length 
   def get_header()
     # Getting an authorization token bearer (if the token is expired, the method will post a request to get a new authorization token)

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashEventsBatcher.rb

@@ -2,7 +2,7 @@
 
 require "logstash/sentinel_la/logAnalyticsClient"
 require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
-
+require "excon"
 # LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
 # The buffer resize itself according to Azure Loganalytics  and configuration limitations
 module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
@@ -59,34 +59,32 @@ class LogStashEventsBatcher
                     return
                 else
                     @logger.trace("Rest client response ['#{response}']")
-                    @logger.error("#{api_name} request failed. Error code: #{response.code} #{try_get_info_from_error_response(response)}")
+                    @logger.error("#{api_name} request failed. Error code: #{response.pree} #{try_get_info_from_error_response(response)}")
                 end
-            rescue RestClient::Exceptions::Timeout => eto
+                rescue Excon::Error::HTTPStatus => ewr
-                @logger.trace("Timeout exception ['#{eto.display}'] when posting data to #{api_name}. Rest client response ['#{eto.response.display}']. [amount_of_documents=#{amount_of_documents}]")
-                @logger.error("Timeout exception while posting data to #{api_name}. [Exception: '#{eto}'] [amount of documents=#{amount_of_documents}]'")
-                force_retry = true
-
-            rescue RestClient::ExceptionWithResponse => ewr
                     response = ewr.response
-                @logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{ewr.response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
+                    @logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
-                @logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
+                    @logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr.class}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
 
-                if ewr.http_code.to_f == 400
+                    if ewr.class ==  Excon::Error::BadRequest
-                    @logger.info("Not trying to resend since exception http code is #{ewr.http_code}")
+                        @logger.info("Not trying to resend since exception http code is 400")
                         return                
-                elsif ewr.http_code.to_f == 408
+                    elsif ewr.class ==  Excon::Error::RequestTimeout
                         force_retry = true
-                elsif ewr.http_code.to_f == 429
+                    elsif ewr.class ==  Excon::Error::TooManyRequests
                         # thrutteling detected, backoff before resending
-                    parsed_retry_after = response.headers.include?(:retry_after) ? response.headers[:retry_after].to_i : 0
+                        parsed_retry_after = response.data[:headers].include?('Retry-After') ? response.data[:headers]['Retry-After'].to_i : 0
                         seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30
 
                         #force another retry even if the next iteration of the loop will be after the retransmission_timeout
                         force_retry = true
                     end               
+                rescue Excon::Error::Socket => ex
+                    @logger.trace("Exception: '#{ex.class.name}]#{ex} in posting data to #{api_name}. [amount_of_documents=#{amount_of_documents}]'")
+                    force_retry = true
                 rescue Exception => ex
                     @logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")       
-                @logger.error("Exception in posting data to #{api_name}. [Exception: '#{ex}, amount of documents=#{amount_of_documents}]'")
+                    @logger.error("Exception in posting data to #{api_name}. [Exception: '[#{ex.class.name}]#{ex}, amount of documents=#{amount_of_documents}]'")
             end
             is_retry = true
             @logger.info("Retrying transmission to #{api_name} in #{seconds_to_sleep} seconds.")
@@ -110,8 +108,8 @@ class LogStashEventsBatcher
     def get_request_id_from_response(response)
         output =""
         begin
-            if !response.nil? && response.headers.include?(:x_ms_request_id)
+            if !response.nil? && response.data[:headers].include?("x-ms-request-id")
-                output += response.headers[:x_ms_request_id]
+                output += response.data[:headers]["x-ms-request-id"]
             end
         rescue Exception => ex
             @logger.debug("Error while getting reqeust id from success response headers: #{ex.display}")
@@ -124,12 +122,13 @@ class LogStashEventsBatcher
         begin
             output = ""
             if !response.nil?                
-                if response.headers.include?(:x_ms_error_code)
+                if response.data[:headers].include?("x-ms-error-code")
-                    output += " [ms-error-code header: #{response.headers[:x_ms_error_code]}]"
+                    output += " [ms-error-code header: #{response.data[:headers]["x-ms-error-code"]}]"
             end
-            if response.headers.include?(:x_ms_request_id)
+            if response.data[:headers].include?("x-ms-request-id")
-                output += " [x-ms-request-id header: #{response.headers[:x_ms_request_id]}]"
+                output += " [x-ms-request-id header: #{response.data[:headers]["x-ms-request-id"]}]"
             end
+            output += " [response body: #{response.data[:body]}]"            
         end        
             return output
         rescue Exception => ex

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb

@@ -1,6 +1,6 @@
 module LogStash; module Outputs;
 class MicrosoftSentinelOutputInternal
-  VERSION_INFO = [1, 1, 1].freeze
+  VERSION_INFO = [1, 1, 3].freeze
   VERSION = VERSION_INFO.map(&:to_s).join('.').freeze
 
   def self.version

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec

@@ -20,8 +20,8 @@ Gem::Specification.new do |s|
   s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
 
   # Gem dependencies
-  s.add_runtime_dependency "rest-client", ">= 2.1.0"
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency "logstash-codec-plain"
+  s.add_runtime_dependency "excon", ">= 0.88.0"
   s.add_development_dependency "logstash-devutils"
 end

Solutions/ApacheHTTPServer/Analytic Rules/ApacheCVE-2021-41773.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -30,5 +33,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheCommandInURI.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 15m
 queryPeriod: 15m
 triggerOperator: gt
@@ -27,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheKnownMaliciousUserAgents.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -27,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheMultipleClientErrorsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheMultipleServerErrorsRequestsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApachePrivateIpInUrl.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -35,5 +38,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheRequestFromPrivateIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -28,5 +31,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheRequestToRareFile.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 14d
 triggerOperator: gt
@@ -38,5 +41,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/ApacheHTTPServer/Analytic Rules/ApacheRequestToSensitiveFiles.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -32,5 +35,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/ApacheHTTPServer/Data Connectors/Connector_ApacheHTTPServer_agent.json

@@ -1,6 +1,6 @@
 {
     "id": "ApacheHTTPServer",
-    "title": "Apache HTTP Server",
+    "title": "[Deprecated] Apache HTTP Server",
     "publisher": "Apache",
     "descriptionMarkdown": "The Apache HTTP Server data connector provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.",
     "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Solutions/ApacheHTTPServer/Data/Solution_Apache Http Server.json

@@ -2,12 +2,12 @@
   "Name": "ApacheHTTPServer",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+  "Description": "The Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
   "Workbooks": [ 
     "Workbooks/ApacheHTTPServer.json" 
   ],
   "Parsers": [
-    "Parsers/ApacheHTTPServer.txt"
+    "Parsers/ApacheHTTPServer.yaml"
   ],
   "Hunting Queries": [
     "Hunting Queries/ApacheFilesErrorRequests.yaml",
@@ -36,9 +36,11 @@
     "Analytic Rules/ApacheRequestToRareFile.yaml",
     "Analytic Rules/ApacheRequestToSensitiveFiles.yaml"
   ],
+  "dependentDomainSolutionIds": [
+    "azuresentinel.azure-sentinel-solution-customlogsviaama"
+  ],
   "BasePath": "C:\\GitHub\\azure\\Solutions\\ApacheHTTPServer",
-  "Version": "2.0.2",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
-   "TemplateSpec": true,
+  "TemplateSpec": true
-  "Is1PConnector": false
 }

Solutions/ApacheHTTPServer/Hunting Queries/ApacheFilesErrorRequests.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheFilesRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheRareFilesRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheRareUAWithClientErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheRareURLsRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheRareUserAgents.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheRequestsToUnexistingFiles.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/ApacheHTTPServer/Hunting Queries/ApacheUnexpectedPostRequests.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - Persistence
   - CommandAndControl

Solutions/ApacheHTTPServer/Hunting Queries/ApacheUrlClienterrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - Impact
   - InitialAccess

Solutions/ApacheHTTPServer/Hunting Queries/ApacheUrlServerErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: ApacheHTTPServer
     dataTypes:
       - ApacheHTTPServer
+  - connectorId: CustomLogsAma
+    datatypes:
+      - ApacheHTTPServer_CL
 tactics:
   - Impact
   - InitialAccess

Solutions/ApacheHTTPServer/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ApacheHTTPServer/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs the data connector for ingesting Apache HTTP Server activity and logging events including initial request, mapping process, resolution of the connection, and any errors that may have occurred. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for ApacheHTTPServer. You can get ApacheHTTPServer custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ApacheHttpServer Kusto Function alias."
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
@@ -323,7 +323,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of files with error requests. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows list of files with error requests. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -337,7 +337,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of files requested This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows list of files requested This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -351,7 +351,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query detects rare files requested This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query detects rare files requested This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -365,7 +365,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -379,7 +379,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare URLs requested. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows rare URLs requested. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -393,7 +393,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare user agents This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows rare user agents This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -407,7 +407,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of requests to unexisting files This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows list of requests to unexisting files This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -421,7 +421,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query detects Unexpected Post Requests This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query detects Unexpected Post Requests This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -435,7 +435,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows URLs list with client errors. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows URLs list with client errors. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]
@@ -449,7 +449,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows URLs list with server errors. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
+                  "text": "Query shows URLs list with server errors. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
                 }
               }
             ]

Solutions/ApacheHTTPServer/Package/testParameters.json

@@ -0,0 +1,32 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "Apache HTTP Server",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
+  }
+}

Solutions/ApacheHTTPServer/ReleaseNotes.md

@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0       | 13-08-2024                     | Deprecating data connectors |

Solutions/MongoDBAudit/Data Connectors/Connector_MongoDBAudit.json

@@ -1,6 +1,6 @@
 {
     "id": "MongoDB",
-    "title": "MongoDB Audit",
+    "title": "[Deprecated] MongoDB Audit",
     "publisher": "MongoDB",
     "descriptionMarkdown": "MongoDB data connector provides the capability to ingest [MongoDBAudit](https://www.mongodb.com/) into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.",
     "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Solutions/MongoDBAudit/Data/Solution_MongoDBAudit.json

@@ -2,15 +2,18 @@
   "Name": "MongoDBAudit",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
+  "Description": "The [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
   "Data Connectors": [
     "Data Connectors/Connector_MongoDBAudit.json"
   ],
   "Parsers": [
-    "Parsers/MongoDBAudit.txt"
+    "Parsers/MongoDBAudit.yaml"
+  ],
+  "dependentDomainSolutionIds": [
+    "azuresentinel.azure-sentinel-solution-customlogsviaama"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MongoDBAudit",
-  "Version": "2.0.3",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false

Solutions/MongoDBAudit/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MongoDBAudit/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",

Solutions/MongoDBAudit/Package/mainTemplate.json

@@ -30,57 +30,41 @@
     }
   },
   "variables": {
-    "solutionId": "azuresentinel.azure-sentinel-solution-mongodbaudit",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
-    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_solutionName": "MongoDBAudit",
+    "_solutionVersion": "3.0.0",
+    "solutionId": "azuresentinel.azure-sentinel-solution-mongodbaudit",
+    "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "MongoDB",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "MongoDB",
     "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
     "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
     "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "parserObject1": {
+      "_parserName1": "[concat(parameters('workspace'),'/','MongoDBAudit')]",
+      "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MongoDBAudit')]",
+      "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MongoDBAudit-Parser')))]",
       "parserVersion1": "1.0.0",
-    "parserContentId1": "MongoDBAudit-Parser",
+      "parserContentId1": "MongoDBAudit-Parser"
-    "_parserContentId1": "[variables('parserContentId1')]",
+    },
-    "parserName1": "MongoDBAudit",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
-    "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
-    "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
-    "_parserId1": "[variables('parserId1')]",
-    "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
   },
   "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2021-05-01",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
-      "properties": {
-        "description": "MongoDBAudit data connector with template",
-        "displayName": "MongoDBAudit template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MongoDBAudit data connector with template version 2.0.3",
+        "description": "MongoDBAudit data connector with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -96,7 +80,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId1')]",
-                  "title": "MongoDB Audit",
+                  "title": "[Deprecated] MongoDB Audit",
                   "publisher": "MongoDB",
                   "descriptionMarkdown": "MongoDB data connector provides the capability to ingest [MongoDBAudit](https://www.mongodb.com/) into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.",
                   "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -110,7 +94,7 @@
                   "sampleQueries": [
                     {
                       "description": "MongoDBAudit - All Activities.",
-                      "query": "MongoDBAudit\n | sort by TimeGenerated desc"
+                      "query": "MongoDBAudit_CL\n | sort by TimeGenerated desc"
                     }
                   ],
                   "dataTypes": [
@@ -278,7 +262,7 @@
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
+              "apiVersion": "2023-04-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
                 "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -303,12 +287,23 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Deprecated] MongoDB Audit",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "apiVersion": "2023-04-01-preview",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
       "dependsOn": [
         "[variables('_dataConnectorId1')]"
@@ -344,7 +339,7 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "MongoDB Audit",
+          "title": "[Deprecated] MongoDB Audit",
           "publisher": "MongoDB",
           "descriptionMarkdown": "MongoDB data connector provides the capability to ingest [MongoDBAudit](https://www.mongodb.com/) into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.",
           "graphQueries": [
@@ -371,7 +366,7 @@
           "sampleQueries": [
             {
               "description": "MongoDBAudit - All Activities.",
-              "query": "MongoDBAudit\n | sort by TimeGenerated desc"
+              "query": "MongoDBAudit_CL\n | sort by TimeGenerated desc"
             }
           ],
           "availability": {
@@ -510,55 +505,38 @@
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2021-05-01",
+      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('parserTemplateSpecName1')]",
+      "name": "[variables('parserObject1').parserTemplateSpecName1]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Parser"
-      },
-      "properties": {
-        "description": "MongoDBAudit Data Parser with template",
-        "displayName": "MongoDBAudit Data Parser template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Parser"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MongoDBAudit Data Parser with template version 2.0.3",
+        "description": "MongoDBAudit Data Parser with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('parserVersion1')]",
+          "contentVersion": "[variables('parserObject1').parserVersion1]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "name": "[variables('_parserName1')]",
+              "name": "[variables('parserObject1')._parserName1]",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
                 "displayName": "MongoDBAudit",
-                "category": "Samples",
+                "category": "Microsoft Sentinel Parser",
                 "functionAlias": "MongoDBAudit",
-                "query": "\nMongoDBAudit_CL\r\n| extend EventVendor = 'MongoDB',\r\n         EventProduct = 'MongDB Audit',\r\n         EventCount = 1\r\n| extend d=parse_json(RawData)\r\n| extend EventEndTime = todatetime(d['ts']['$date'])\r\n| extend DvcAction = d['atype']\r\n| extend SrcIpAddr = d['remote']['ip']\r\n| extend SrcPortNumber = d['remote']['port']\r\n| extend DstIpAddr = d['local']['ip']\r\n| extend DstPortNumber = d['local']['port']\r\n| extend Users = d['users']\r\n| extend Roles = d['roles']\r\n| extend Parameters = d['param']\r\n| extend EventResultCode = d['result']\r\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\r\n                              EventResultCode == 18, \"Authentication Failed\",\r\n                              EventResultCode == 26, \"NamespaceNotFound\",\r\n                              EventResultCode == 276, \"Index build aborted.\",\r\n                              EventResultCode == 334, \"Mechanism Unavailable\",\r\n                              \"Success\")\r\n| project-away d, RawData",
+                "query": "MongoDBAudit_CL\n| extend EventVendor = 'MongoDB',\n         EventProduct = 'MongDB Audit',\n         EventCount = 1\n| extend d=parse_json(RawData)\n| extend EventEndTime = todatetime(d['ts']['$date'])\n| extend DvcAction = d['atype']\n| extend SrcIpAddr = d['remote']['ip']\n| extend SrcPortNumber = d['remote']['port']\n| extend DstIpAddr = d['local']['ip']\n| extend DstPortNumber = d['local']['port']\n| extend Users = d['users']\n| extend Roles = d['roles']\n| extend Parameters = d['param']\n| extend EventResultCode = d['result']\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\n                              EventResultCode == 18, \"Authentication Failed\",\n                              EventResultCode == 26, \"NamespaceNotFound\",\n                              EventResultCode == 276, \"Index build aborted.\",\n                              EventResultCode == 334, \"Mechanism Unavailable\",\n                              \"Success\")\n| project-away d, RawData\n",
-                "version": 1,
+                "functionParameters": "",
+                "version": 2,
                 "tags": [
                   {
                     "name": "description",
-                    "value": "MongoDBAudit"
+                    "value": ""
                   }
                 ]
               }
@@ -566,15 +544,15 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
               "dependsOn": [
-                "[variables('_parserName1')]"
+                "[variables('parserObject1')._parserId1]"
               ],
               "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MongoDBAudit')]",
-                "contentId": "[variables('_parserContentId1')]",
+                "contentId": "[variables('parserObject1').parserContentId1]",
                 "kind": "Parser",
-                "version": "[variables('parserVersion1')]",
+                "version": "[variables('parserObject1').parserVersion1]",
                 "source": {
                   "name": "MongoDBAudit",
                   "kind": "Solution",
@@ -593,36 +571,54 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('parserObject1').parserContentId1]",
+        "contentKind": "Parser",
+        "displayName": "MongoDBAudit",
+        "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+        "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+        "version": "[variables('parserObject1').parserVersion1]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-      "apiVersion": "2021-06-01",
+      "apiVersion": "2022-10-01",
-      "name": "[variables('_parserName1')]",
+      "name": "[variables('parserObject1')._parserName1]",
       "location": "[parameters('workspace-location')]",
       "properties": {
         "eTag": "*",
         "displayName": "MongoDBAudit",
-        "category": "Samples",
+        "category": "Microsoft Sentinel Parser",
         "functionAlias": "MongoDBAudit",
-        "query": "\nMongoDBAudit_CL\r\n| extend EventVendor = 'MongoDB',\r\n         EventProduct = 'MongDB Audit',\r\n         EventCount = 1\r\n| extend d=parse_json(RawData)\r\n| extend EventEndTime = todatetime(d['ts']['$date'])\r\n| extend DvcAction = d['atype']\r\n| extend SrcIpAddr = d['remote']['ip']\r\n| extend SrcPortNumber = d['remote']['port']\r\n| extend DstIpAddr = d['local']['ip']\r\n| extend DstPortNumber = d['local']['port']\r\n| extend Users = d['users']\r\n| extend Roles = d['roles']\r\n| extend Parameters = d['param']\r\n| extend EventResultCode = d['result']\r\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\r\n                              EventResultCode == 18, \"Authentication Failed\",\r\n                              EventResultCode == 26, \"NamespaceNotFound\",\r\n                              EventResultCode == 276, \"Index build aborted.\",\r\n                              EventResultCode == 334, \"Mechanism Unavailable\",\r\n                              \"Success\")\r\n| project-away d, RawData",
+        "query": "MongoDBAudit_CL\n| extend EventVendor = 'MongoDB',\n         EventProduct = 'MongDB Audit',\n         EventCount = 1\n| extend d=parse_json(RawData)\n| extend EventEndTime = todatetime(d['ts']['$date'])\n| extend DvcAction = d['atype']\n| extend SrcIpAddr = d['remote']['ip']\n| extend SrcPortNumber = d['remote']['port']\n| extend DstIpAddr = d['local']['ip']\n| extend DstPortNumber = d['local']['port']\n| extend Users = d['users']\n| extend Roles = d['roles']\n| extend Parameters = d['param']\n| extend EventResultCode = d['result']\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\n                              EventResultCode == 18, \"Authentication Failed\",\n                              EventResultCode == 26, \"NamespaceNotFound\",\n                              EventResultCode == 276, \"Index build aborted.\",\n                              EventResultCode == 334, \"Mechanism Unavailable\",\n                              \"Success\")\n| project-away d, RawData\n",
-        "version": 1
+        "functionParameters": "",
+        "version": 2,
+        "tags": [
+          {
+            "name": "description",
+            "value": ""
+          }
+        ]
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
       "dependsOn": [
-        "[variables('_parserId1')]"
+        "[variables('parserObject1')._parserId1]"
       ],
       "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MongoDBAudit')]",
-        "contentId": "[variables('_parserContentId1')]",
+        "contentId": "[variables('parserObject1').parserContentId1]",
         "kind": "Parser",
-        "version": "[variables('parserVersion1')]",
+        "version": "[variables('parserObject1').parserVersion1]",
         "source": {
           "kind": "Solution",
           "name": "MongoDBAudit",
@@ -641,13 +637,20 @@
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
-      "apiVersion": "2022-01-01-preview",
+      "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.3",
+        "version": "3.0.0",
         "kind": "Solution",
-        "contentSchemaVersion": "2.0.0",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "MongoDBAudit",
+        "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MongoDBAudit/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.mongodb.com/\">MongoDBAudit</a> solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to <a href=\"https://www.mongodb.com/docs/manual/tutorial/getting-started/\">MongoDB documentation</a> for more information.</p>\n<p>This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE</strong>: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -666,7 +669,6 @@
           "link": "https://support.microsoft.com"
         },
         "dependencies": {
-          "operator": "AND",
           "criteria": [
             {
               "kind": "DataConnector",
@@ -675,8 +677,12 @@
             },
             {
               "kind": "Parser",
-              "contentId": "[variables('_parserContentId1')]",
+              "contentId": "[variables('parserObject1').parserContentId1]",
-              "version": "[variables('parserVersion1')]"
+              "version": "[variables('parserObject1').parserVersion1]"
+            },
+            {
+              "kind": "Solution",
+              "contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama"
             }
           ]
         },

Solutions/MongoDBAudit/Package/testParameters.json

@@ -0,0 +1,24 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  }
+}

Solutions/MongoDBAudit/Parsers/MongoDBAudit.txt

@@ -1,23 +0,0 @@
-// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-MongoDBAudit_CL
-| extend EventVendor = 'MongoDB',
-         EventProduct = 'MongDB Audit',
-         EventCount = 1
-| extend d=parse_json(RawData)
-| extend EventEndTime = todatetime(d['ts']['$date'])
-| extend DvcAction = d['atype']
-| extend SrcIpAddr = d['remote']['ip']
-| extend SrcPortNumber = d['remote']['port']
-| extend DstIpAddr = d['local']['ip']
-| extend DstPortNumber = d['local']['port']
-| extend Users = d['users']
-| extend Roles = d['roles']
-| extend Parameters = d['param']
-| extend EventResultCode = d['result']
-| extend EventResult = case(EventResultCode == 13, "Unauthorized to perform the operation.",
-                              EventResultCode == 18, "Authentication Failed",
-                              EventResultCode == 26, "NamespaceNotFound",
-                              EventResultCode == 276, "Index build aborted.",
-                              EventResultCode == 334, "Mechanism Unavailable",
-                              "Success")
-| project-away d, RawData

Solutions/MongoDBAudit/ReleaseNotes.md

@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0       |  08-08-2024                    | Deprecating data connectors                 |

Solutions/NGINX HTTP Server/Analytic Rules/NGINXCommandsInRequest.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -27,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXCoreDump.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: ProcessId
         columnName: ProcessIdCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXDifferentUAsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXKnownMaliciousUserAgent.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: MalwareCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXMultipleClientErrorsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXMultipleServerErrorsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXPrivateIPinUrl.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXPutAndGetFileFromSameIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -40,5 +43,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXRequestToSensitiveFiles.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -30,5 +33,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/NGINX HTTP Server/Data Connectors/Connector_NGINX_agent.json

@@ -1,6 +1,6 @@
 {
     "id": "NGINXHTTPServer",
-    "title": "NGINX HTTP Server",
+    "title": "[Deprecated] NGINX HTTP Server",
     "publisher": "Nginx",
     "descriptionMarkdown": "The NGINX HTTP Server data connector provides the capability to ingest [NGINX](https://nginx.org/en/) HTTP Server events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.",
     "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Solutions/NGINX HTTP Server/Data/Solution_Nginx.json

@@ -2,12 +2,12 @@
   "Name": "NGINX HTTP Server",
   "Author": "Microsoft - support@microsoft.com",
    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+  "Description": "The [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
   "Workbooks": [
     "Workbooks/NGINX.json"
   ],
   "Parsers": [
-    "Parsers/NGINXHTTPServer.txt"
+    "Parsers/NGINXHTTPServer.yaml"
   ],
   "Hunting Queries": [
     "Hunting Queries/NGINXUncommonUAsString.yaml",
@@ -36,9 +36,12 @@
 	"Analytic Rules/NGINXRequestToSensitiveFiles.yaml",
 	"Analytic Rules/NGINXSqlPattern.yaml"
   ],
+  "dependentDomainSolutionIds": [
+    "azuresentinel.azure-sentinel-solution-customlogsviaama"
+  ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\NGINX HTTP Server",
-  "Version": "2.0.2",
+  "Version": "3.0.0",
   "TemplateSpec": true,
   "Is1Pconnector": false
 }

Solutions/NGINX HTTP Server/Hunting Queries/NGINXAbnormalRequestSize.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - Exfiltration
   - Collection

Solutions/NGINX HTTP Server/Hunting Queries/NGINXRareFilesRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Hunting Queries/NGINXRareURLsRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Hunting Queries/NGINXRequestsFromBotsCrawlers.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Hunting Queries/NGINXRequestsToUnexistingFiles.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Hunting Queries/NGINXTopFilesRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Hunting Queries/NGINXTopFilesWithErrorRequests.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Hunting Queries/NGINXTopURLsClientErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - Impact
   - InitialAccess

Solutions/NGINX HTTP Server/Hunting Queries/NGINXTopURLsServerErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - Impact
   - InitialAccess

Solutions/NGINX HTTP Server/Hunting Queries/NGINXUncommonUAsString.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: NGINXHTTPServer
     dataTypes:
       - NGINXHTTPServer
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - NGINX_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/NGINX HTTP Server/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NGINX%20HTTP%20Server/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The NGINX HTTP Server data connector provides the capability to ingest NGINX HTTP Server events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for NGINX HTTP Server. You can get NGINX HTTP Server custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seThe solution also installs a parser that transforms ingested data. The transformed logs can be accessed using the NGINXHTTPServer Kusto Function aliasamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
@@ -323,7 +323,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches uncommon user agent strings. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query searches uncommon user agent strings. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -337,7 +337,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows abnormal request size. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows abnormal request size. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -351,7 +351,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare files requested This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows rare files requested This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -365,7 +365,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare URLs requested. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows rare URLs requested. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -379,7 +379,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches requests from bots and crawlers. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query searches requests from bots and crawlers. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -393,7 +393,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of requests to unexisting files This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows list of requests to unexisting files This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -407,7 +407,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of files requested This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows list of files requested This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -421,7 +421,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of files with error requests. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows list of files with error requests. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -435,7 +435,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows URLs list with client errors. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows URLs list with client errors. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]
@@ -449,7 +449,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows URLs list with server errors. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
+                  "text": "Query shows URLs list with server errors. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
                 }
               }
             ]

Solutions/NGINX HTTP Server/Package/testParameters.json

@@ -0,0 +1,32 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "NGINX HTTP Server",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
+  }
+}

Solutions/NGINX HTTP Server/Parsers/NGINXHTTPServer.txt

@@ -1,52 +0,0 @@
-// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-let nginx_accesslog_events =() {
-NGINX_CL
-| where RawData matches regex @'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\[.*\]\s\"(GET|POST).*?\"\s([1-5][0-9]{2})\s(\d+)\s\"(.*?)\"\s\"(.*?)\".*'
-| extend EventProduct = 'NGINX'
-| extend EventType = 'AccessLog'
-| extend EventData = split(RawData, '"')
-| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')
-| extend SubEventData1 = split(EventData[1], ' ')
-| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')
-| extend SrcIpAddr = tostring(SubEventData0[0])
-| extend SrcUserName = SubEventData0[2]
-| extend EventStartTime = todatetime(replace(@'\/', @'-', replace(@'(\d{2}\/\w{3}\/\d{4}):(\d{2}\:\d{2}\:\d{2})', @'\1 \2', extract(@'\[(.*?)\+\d+\]', 1, RawData))))
-| extend HttpRequestMethod = SubEventData1[0]
-| extend UrlOriginal = SubEventData1[1]
-| extend HttpVersion = SubEventData1[2]
-| extend HttpStatusCode = SubEventData2[0]
-| extend HttpResponseBodyBytes = SubEventData2[1]
-| extend HttpReferrerOriginal = EventData[3]
-| extend HttpUserAgentOriginal = EventData[5]
-};
-let nginx_errorlog_events=() {
-NGINX_CL
-| where RawData matches regex @'\A\d{4}\/\d{2}\/\d{2}\s+\d{2}\:\d{2}\:\d{2}\s+\[.*?\]\s\d+\#\d+\:'
-| extend EventProduct = 'NGINX'
-| extend EventType = 'ErrorLog'
-| extend EventType = 'ErrorLog'
-| extend EventSeverity = extract(@'\[(.*?)\]', 1, RawData)
-| extend EventStartTime = todatetime(replace(@'\/', '-', extract(@'\A(.*?)\s\[', 1, RawData)))
-| extend SrcIpAddr = extract(@'client: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, RawData)
-| extend ProcessId = extract(@'\]\s(\d+)\#', 1, RawData)
-| extend ThreadId = extract(@'\]\s\d+\#(\d+)\:', 1, RawData)
-| extend EventMessage = extract(@'\d+\#\d+\:\s(.*)', 1, RawData)
-};
-union isfuzzy=true nginx_accesslog_events, nginx_errorlog_events
-| project TimeGenerated
-        , EventProduct
-        , EventType
-        , EventSeverity
-        , EventStartTime
-        , SrcIpAddr
-        , SrcUserName
-        , HttpRequestMethod
-        , UrlOriginal
-        , HttpVersion
-        , HttpStatusCode
-        , HttpResponseBodyBytes
-        , HttpReferrerOriginal
-        , HttpUserAgentOriginal
-        , ProcessId
-        , ThreadId
-        , EventMessage

Solutions/NGINX HTTP Server/ReleaseNotes.md

@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0       |  08-08-2024                    | Deprecating data connectors                 |

Solutions/NGINX HTTP Server/SolutionMetadata.json

@@ -4,7 +4,7 @@
 	"firstPublishDate": "2021-12-16",
 	"providers": ["Nginx"],
 	"categories": {
-		"domains" : ["Security – Network", "Networking","DevOps"]
+		"domains" : ["Security - Network", "Networking","DevOps"]
 	},
 	"support": {
 	  "name": "Microsoft Corporation",

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicCommandInURI.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 15m
 queryPeriod: 15m
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicDifferentUAsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicExploitCVE-2021-2109.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicKnownMaliciousUserAgents.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 15m
 queryPeriod: 15m
 triggerOperator: gt
@@ -27,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicMultipleClientErrorsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicMultipleServerErrorsRequestsFromSingleIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPrivateIpInUrl.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -40,5 +43,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -39,5 +42,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicRequestToSensitiveFiles.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 queryFrequency: 15m
 queryPeriod: 15m
 triggerOperator: gt
@@ -32,5 +35,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json

@@ -1,6 +1,6 @@
 {
     "id": "OracleWebLogicServer",
-    "title": "Oracle WebLogic Server",
+    "title": "[Deprecated] Oracle WebLogic Server",
     "publisher": "Oracle",
     "descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
     "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json

@@ -2,7 +2,7 @@
   "Name": "OracleWebLogicServer",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n",
+  "Description": "The [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
   "Workbooks": [ 
     "Workbooks/OracleWorkbook.json" 
    ],
@@ -35,10 +35,13 @@
     "Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml",
     "Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml",
     "Analytic Rules/OracleWebLogicRequestToSensitiveFiles.yaml"
+  ],
+  "dependentDomainSolutionIds": [
+    "azuresentinel.azure-sentinel-solution-customlogsviaama"
   ],
    "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OracleWebLogicServer",
-  "Version": "3.0.0",
+  "Version": "3.0.1",
   "TemplateSpec": true,
   "Is1PConnector": false
 }

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogic403RequestsFiles.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicAbnormalRequestSize.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - Exfiltration
   - Collection

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicCriticalEventSeverity.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - DefenseEvasion
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicFilesErrorRequests.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicRareUAWithClientErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicRareURLsRequested.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicUncommonUserAgents.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - InitialAccess
 relevantTechniques:

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicUrlClienterrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - Impact
   - InitialAccess

Solutions/OracleWebLogicServer/Hunting Queries/OracleWebLogicUrlServerErrors.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: OracleWebLogicServer
     dataTypes:
       - OracleWebLogicServerEvent
+  - connectorId: CustomLogsAma
+    dataTypes:
+      - OracleWebLogicServer_CL
 tactics:
   - Impact
   - InitialAccess

Solutions/OracleWebLogicServer/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OracleWebLogicServer/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -323,7 +323,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows request to forbidden files. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows request to forbidden files. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -337,7 +337,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows abnormal request size. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows abnormal request size. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -351,7 +351,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows critical event severity This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows critical event severity This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -365,7 +365,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows error messages. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows error messages. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -379,7 +379,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows list of files with error requests. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows list of files with error requests. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -393,7 +393,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare user agent strings with client errors This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows rare user agent strings with client errors This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -407,7 +407,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare URLs requested. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows rare URLs requested. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -421,7 +421,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows rare user agents This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows rare user agents This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -435,7 +435,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows URLs list with client errors. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows URLs list with client errors. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]
@@ -449,7 +449,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query shows URLs list with server errors. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
+                  "text": "Query shows URLs list with server errors. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
                 }
               }
             ]

Solutions/OracleWebLogicServer/Package/mainTemplate.json

@@ -118,74 +118,74 @@
     "dataConnectorVersion1": "1.0.0",
     "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.1",
+      "analyticRuleVersion1": "1.0.2",
       "_analyticRulecontentId1": "6ae36a5e-573f-11ec-bf63-0242ac130002",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ae36a5e-573f-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ae36a5e-573f-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ae36a5e-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ae36a5e-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.1",
+      "analyticRuleVersion2": "1.0.2",
       "_analyticRulecontentId2": "44c7d12a-573f-11ec-bf63-0242ac130002",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44c7d12a-573f-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44c7d12a-573f-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44c7d12a-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44c7d12a-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.1",
+      "analyticRuleVersion3": "1.0.2",
       "_analyticRulecontentId3": "67950168-5740-11ec-bf63-0242ac130002",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '67950168-5740-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('67950168-5740-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67950168-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67950168-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject4": {
-      "analyticRuleVersion4": "1.0.1",
+      "analyticRuleVersion4": "1.0.2",
       "_analyticRulecontentId4": "51d050ee-5740-11ec-bf63-0242ac130002",
       "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '51d050ee-5740-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('51d050ee-5740-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','51d050ee-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','51d050ee-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject5": {
-      "analyticRuleVersion5": "1.0.1",
+      "analyticRuleVersion5": "1.0.2",
       "_analyticRulecontentId5": "41775080-5740-11ec-bf63-0242ac130002",
       "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '41775080-5740-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('41775080-5740-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41775080-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41775080-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject6": {
-      "analyticRuleVersion6": "1.0.1",
+      "analyticRuleVersion6": "1.0.2",
       "_analyticRulecontentId6": "268f4fde-5740-11ec-bf63-0242ac130002",
       "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '268f4fde-5740-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('268f4fde-5740-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','268f4fde-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','268f4fde-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject7": {
-      "analyticRuleVersion7": "1.0.1",
+      "analyticRuleVersion7": "1.0.2",
       "_analyticRulecontentId7": "153ce6d8-5740-11ec-bf63-0242ac130002",
       "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '153ce6d8-5740-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('153ce6d8-5740-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','153ce6d8-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','153ce6d8-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject8": {
-      "analyticRuleVersion8": "1.0.0",
+      "analyticRuleVersion8": "1.0.1",
       "_analyticRulecontentId8": "033e98d2-5740-11ec-bf63-0242ac130002",
       "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '033e98d2-5740-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('033e98d2-5740-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','033e98d2-5740-11ec-bf63-0242ac130002','-', '1.0.0')))]"
+      "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','033e98d2-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
     },
     "analyticRuleObject9": {
-      "analyticRuleVersion9": "1.0.1",
+      "analyticRuleVersion9": "1.0.2",
       "_analyticRulecontentId9": "edc2f2b4-573f-11ec-bf63-0242ac130002",
       "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edc2f2b4-573f-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edc2f2b4-573f-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edc2f2b4-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edc2f2b4-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "analyticRuleObject10": {
-      "analyticRuleVersion10": "1.0.1",
+      "analyticRuleVersion10": "1.0.2",
       "_analyticRulecontentId10": "9cc9ed36-573f-11ec-bf63-0242ac130002",
       "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cc9ed36-573f-11ec-bf63-0242ac130002')]",
       "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cc9ed36-573f-11ec-bf63-0242ac130002')))]",
-      "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cc9ed36-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
+      "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cc9ed36-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
     },
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
@@ -1285,7 +1285,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId1')]",
-                  "title": "Oracle WebLogic Server (using Azure Functions)",
+                  "title": "[Deprecated] Oracle WebLogic Server",
                   "publisher": "Oracle",
                   "descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
                   "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -1476,7 +1476,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('_dataConnectorContentId1')]",
         "contentKind": "DataConnector",
-        "displayName": "Oracle WebLogic Server (using Azure Functions)",
+        "displayName": "[Deprecated] Oracle WebLogic Server",
         "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
         "id": "[variables('_dataConnectorcontentProductId1')]",
         "version": "[variables('dataConnectorVersion1')]"
@@ -1520,7 +1520,7 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "Oracle WebLogic Server (using Azure Functions)",
+          "title": "[Deprecated] Oracle WebLogic Server",
           "publisher": "Oracle",
           "descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
           "graphQueries": [
@@ -1696,7 +1696,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1714,10 +1714,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServerEvent"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1729,13 +1735,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
+                        "columnName": "UrlCustomEntity",
-                        "columnName": "UrlCustomEntity"
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
@@ -1801,7 +1807,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1819,10 +1825,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1834,13 +1846,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -1906,7 +1918,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -1924,10 +1936,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1938,13 +1956,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
+                        "columnName": "UrlCustomEntity",
-                        "columnName": "UrlCustomEntity"
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
@@ -2010,7 +2028,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2028,10 +2046,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2043,13 +2067,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2115,7 +2139,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2133,10 +2157,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2148,13 +2178,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2220,7 +2250,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2238,10 +2268,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2255,13 +2291,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2327,7 +2363,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2345,10 +2381,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2360,22 +2402,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
+                        "columnName": "UrlCustomEntity",
-                        "columnName": "UrlCustomEntity"
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2441,7 +2483,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2459,10 +2501,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2474,22 +2522,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
+                        "columnName": "UrlCustomEntity",
-                        "columnName": "UrlCustomEntity"
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
@@ -2555,7 +2603,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2573,10 +2621,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2590,31 +2644,31 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "File",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
+                        "columnName": "FileCustomEntity",
-                        "columnName": "FileCustomEntity"
+                        "identifier": "Name"
                       }
-                    ]
+                    ],
+                    "entityType": "File"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
+                        "columnName": "UrlCustomEntity",
-                        "columnName": "UrlCustomEntity"
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
+                        "columnName": "IPCustomEntity",
-                        "columnName": "IPCustomEntity"
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -2680,7 +2734,7 @@
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
               "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
-              "apiVersion": "2022-04-01-preview",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -2698,10 +2752,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "OracleWebLogicServer",
                     "dataTypes": [
                       "OracleWebLogicServerEvent"
-                    ],
+                    ]
-                    "connectorId": "OracleWebLogicServer"
+                  },
+                  {
+                    "connectorId": "CustomLogsAma",
+                    "dataTypes": [
+                      "OracleWebLogicServer_CL"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -2712,22 +2772,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "File",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
+                        "columnName": "FileCustomEntity",
-                        "columnName": "FileCustomEntity"
+                        "identifier": "Name"
                       }
-                    ]
+                    ],
+                    "entityType": "File"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
+                        "columnName": "UrlCustomEntity",
-                        "columnName": "UrlCustomEntity"
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
@@ -2784,7 +2844,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "OracleWebLogicServer",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.oracle.com/index.html\">Oracle</a> WebLogic Server solution for Microsoft Sentinel provides the capability to ingest <a href=\"https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html\">Oracle Web Logic Server</a> events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OracleWebLogicServer/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.oracle.com/index.html\">Oracle</a> WebLogic Server solution for Microsoft Sentinel provides the capability to ingest <a href=\"https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html\">Oracle Web Logic Server</a> events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.</p>\n<p>This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE</strong>: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024</strong>. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -2807,7 +2867,6 @@
           "link": "https://support.microsoft.com"
         },
         "dependencies": {
-          "operator": "AND",
           "criteria": [
             {
               "kind": "Workbook",
@@ -2923,6 +2982,10 @@
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
               "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
+            },
+            {
+              "kind": "Solution",
+              "contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama"
             }
           ]
         },

Solutions/OracleWebLogicServer/ReleaseNotes.md

@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                           |
 |-------------|--------------------------------|------------------------------------------------------------------------------|
+| 3.0.1       | 09-08-2024                     | Deprecating data connectors                                                  |
 | 3.0.0       | 15-12-2023                     | Updated the **Parser** field TreadId to ThreadId                             |

Solutions/PostgreSQL/Data Connectors/Connector_PostgreSQL.json

@@ -1,6 +1,6 @@
 {
     "id": "PostgreSQL",
-    "title": "PostgreSQL Events",
+    "title": "[Deprecated] PostgreSQL Events",
     "publisher": "PostgreSQL",
     "descriptionMarkdown": "PostgreSQL data connector provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.",
     "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **PostgreSQLEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-postgresql-parser)",