Merge branch 'master' into v-rusraut/CustomSolnOMSMigration

This commit is contained in:
v-rusraut 2024-08-14 15:51:40 +05:30
Родитель bc18d0b223 61fb8f3ba9
Коммит bb1722dc34
184 изменённых файлов: 4257 добавлений и 3820 удалений

Просмотреть файл

@ -246,5 +246,6 @@
"CefAma",
"WindowsFirewallAma",
"1Password",
"RadiflowIsid"
"RadiflowIsid",
"CustomLogsAma"
]

Просмотреть файл

@ -10,7 +10,7 @@ The Office 365 data connector in Azure Sentinel supports ongoing user and admin
| Content Type | Description | Azure Sentinel Mapping |
| ------------ | ----------- | ---------------------- |
| Audit.AzureActiveDirectory | Azure Active Directory logs thats relates to Office 365 only | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.AzureActiveDirectory | Microsoft Entra ID logs thats relates to Office 365 only | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.Exchange | User and Admin Activities in Exchange Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.SharePoint | User and Admin Activities in SharePoint Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.General | Includes all other workloads not included in the previous content types | Not supported with the default connector for Office 365 in Azure Sentinel |

Просмотреть файл

@ -1,5 +1,8 @@
## 1.0.0
* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.
## 1.1.3
* Replace the library rest-client used for connecting with Azure to excon.
## 1.1.1
* Support China and US Government Azure sovereign clouds.
## 1.1.0
* Increase timeout for read/open connections to 120 seconds.
@ -9,6 +12,5 @@
* Upgrade version for ingestion api to 2023-01-01.
* Rename the plugin to microsoft-sentinel-log-analytics-logstash-output-plugin.
## 1.1.1
* Support China and US Government Azure sovereign clouds.
* Increase timeout for read/open connections to 240 seconds.
## 1.0.0
* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.

Просмотреть файл

@ -27,7 +27,7 @@ If you do not have a direct internet connection, you can install the plugin to a
Microsoft Sentinel's Logstash output plugin supports the following versions
- 7.0 - 7.17.13
- 8.0 - 8.9
- 8.11 - 8.13
- 8.11 - 8.14
Please note that when using Logstash 8, it is recommended to disable ECS in the pipeline. For more information refer to [Logstash documentation.](<https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html>)

Просмотреть файл

@ -1,10 +1,10 @@
# encoding: utf-8
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require 'rest-client'
require 'json'
require 'openssl'
require 'base64'
require 'time'
require 'excon'
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
class LogAnalyticsAadTokenProvider
@ -64,14 +64,13 @@ class LogAnalyticsAadTokenProvider
while true
begin
# Post REST request
response = RestClient::Request.execute(method: :post, url: @token_request_uri, payload: @token_request_body, headers: headers,
proxy: @logstashLoganalyticsConfiguration.proxy_aad)
response = Excon.post(@token_request_uri, :body => @token_request_body, :headers => headers, :proxy => @logstashLoganalyticsConfiguration.proxy_aad, expects: [200, 201])
if (response.code == 200 || response.code == 201)
if (response.status == 200 || response.status == 201)
return JSON.parse(response.body)
end
rescue RestClient::ExceptionWithResponse => ewr
@logger.error("Exception while authenticating with AAD API ['#{ewr.response}']")
rescue Excon::Error::HTTPStatus => ex
@logger.error("Error while authenticating with AAD [#{ex.class}: '#{ex.response.status}', Response: '#{ex.response.body}']")
rescue Exception => ex
@logger.trace("Exception while authenticating with AAD API ['#{ex}']")
end

Просмотреть файл

@ -1,11 +1,11 @@
# encoding: utf-8
require "logstash/sentinel_la/version"
require 'rest-client'
require 'json'
require 'openssl'
require 'base64'
require 'time'
require 'rbconfig'
require 'excon'
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
class LogAnalyticsClient
@ -22,28 +22,78 @@ require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
@uri = sprintf("%s/dataCollectionRules/%s/streams/%s?api-version=%s",@logstashLoganalyticsConfiguration.data_collection_endpoint, @logstashLoganalyticsConfiguration.dcr_immutable_id, logstashLoganalyticsConfiguration.dcr_stream_name, la_api_version)
@aadTokenProvider=LogAnalyticsAadTokenProvider::new(logstashLoganalyticsConfiguration)
@userAgent = getUserAgent()
# Auto close connection after 60 seconds of inactivity
@connectionAutoClose = {
:last_use => Time.now,
:lock => Mutex.new,
:max_idel_time => 60,
:is_closed => true
}
@timer = Thread.new do
loop do
sleep @connectionAutoClose[:max_idel_time] / 2
if is_connection_stale?
@connectionAutoClose[:lock].synchronize do
if is_connection_stale?
reset_connection
end
end
end
end
end
end # def initialize
# Post the given json to Azure Loganalytics
def post_data(body)
raise ConfigError, 'no json_records' if body.empty?
response = nil
# Create REST request header
headers = get_header()
@connectionAutoClose[:lock].synchronize do
#close connection if its stale
if is_connection_stale?
reset_connection
end
if @connectionAutoClose[:is_closed]
open_connection
end
# Post REST request
headers = get_header()
# Post REST request
response = @connection.request(method: :post, body: body, headers: headers)
@connectionAutoClose[:is_closed] = false
@connectionAutoClose[:last_use] = Time.now
end
return response
return RestClient::Request.execute(method: :post, url: @uri, payload: body, headers: headers,
proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout: 240)
end # def post_data
# Static function to return if the response is OK or else
def self.is_successfully_posted(response)
return (response.code >= 200 && response.code < 300 ) ? true : false
return (response.status >= 200 && response.status < 300 ) ? true : false
end # def self.is_successfully_posted
private
def open_connection
@connection = Excon.new(@uri, :persistent => true, :proxy => @logstashLoganalyticsConfiguration.proxy_endpoint,
expects: [200, 201, 202, 204, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
read_timeout: 240, write_timeout: 240, connect_timeout: 240)
@logger.trace("Connection to Azure LogAnalytics was opened.");
end
def reset_connection
@connection.reset
@connectionAutoClose[:is_closed] = true
@logger.trace("Connection to Azure LogAnalytics was closed due to inactivity.");
end
def is_connection_stale?
return Time.now - @connectionAutoClose[:last_use] > @connectionAutoClose[:max_idel_time] && !@connectionAutoClose[:is_closed]
end
# Create a header for the given length
def get_header()
# Getting an authorization token bearer (if the token is expired, the method will post a request to get a new authorization token)

Просмотреть файл

@ -2,7 +2,7 @@
require "logstash/sentinel_la/logAnalyticsClient"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "excon"
# LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
# The buffer resize itself according to Azure Loganalytics and configuration limitations
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
@ -59,34 +59,32 @@ class LogStashEventsBatcher
return
else
@logger.trace("Rest client response ['#{response}']")
@logger.error("#{api_name} request failed. Error code: #{response.code} #{try_get_info_from_error_response(response)}")
@logger.error("#{api_name} request failed. Error code: #{response.pree} #{try_get_info_from_error_response(response)}")
end
rescue RestClient::Exceptions::Timeout => eto
@logger.trace("Timeout exception ['#{eto.display}'] when posting data to #{api_name}. Rest client response ['#{eto.response.display}']. [amount_of_documents=#{amount_of_documents}]")
@logger.error("Timeout exception while posting data to #{api_name}. [Exception: '#{eto}'] [amount of documents=#{amount_of_documents}]'")
force_retry = true
rescue Excon::Error::HTTPStatus => ewr
response = ewr.response
@logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr.class}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
rescue RestClient::ExceptionWithResponse => ewr
response = ewr.response
@logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{ewr.response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
if ewr.class == Excon::Error::BadRequest
@logger.info("Not trying to resend since exception http code is 400")
return
elsif ewr.class == Excon::Error::RequestTimeout
force_retry = true
elsif ewr.class == Excon::Error::TooManyRequests
# thrutteling detected, backoff before resending
parsed_retry_after = response.data[:headers].include?('Retry-After') ? response.data[:headers]['Retry-After'].to_i : 0
seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30
if ewr.http_code.to_f == 400
@logger.info("Not trying to resend since exception http code is #{ewr.http_code}")
return
elsif ewr.http_code.to_f == 408
#force another retry even if the next iteration of the loop will be after the retransmission_timeout
force_retry = true
end
rescue Excon::Error::Socket => ex
@logger.trace("Exception: '#{ex.class.name}]#{ex} in posting data to #{api_name}. [amount_of_documents=#{amount_of_documents}]'")
force_retry = true
elsif ewr.http_code.to_f == 429
# thrutteling detected, backoff before resending
parsed_retry_after = response.headers.include?(:retry_after) ? response.headers[:retry_after].to_i : 0
seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30
#force another retry even if the next iteration of the loop will be after the retransmission_timeout
force_retry = true
end
rescue Exception => ex
@logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception in posting data to #{api_name}. [Exception: '#{ex}, amount of documents=#{amount_of_documents}]'")
rescue Exception => ex
@logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception in posting data to #{api_name}. [Exception: '[#{ex.class.name}]#{ex}, amount of documents=#{amount_of_documents}]'")
end
is_retry = true
@logger.info("Retrying transmission to #{api_name} in #{seconds_to_sleep} seconds.")
@ -110,8 +108,8 @@ class LogStashEventsBatcher
def get_request_id_from_response(response)
output =""
begin
if !response.nil? && response.headers.include?(:x_ms_request_id)
output += response.headers[:x_ms_request_id]
if !response.nil? && response.data[:headers].include?("x-ms-request-id")
output += response.data[:headers]["x-ms-request-id"]
end
rescue Exception => ex
@logger.debug("Error while getting reqeust id from success response headers: #{ex.display}")
@ -124,12 +122,13 @@ class LogStashEventsBatcher
begin
output = ""
if !response.nil?
if response.headers.include?(:x_ms_error_code)
output += " [ms-error-code header: #{response.headers[:x_ms_error_code]}]"
if response.data[:headers].include?("x-ms-error-code")
output += " [ms-error-code header: #{response.data[:headers]["x-ms-error-code"]}]"
end
if response.headers.include?(:x_ms_request_id)
output += " [x-ms-request-id header: #{response.headers[:x_ms_request_id]}]"
if response.data[:headers].include?("x-ms-request-id")
output += " [x-ms-request-id header: #{response.data[:headers]["x-ms-request-id"]}]"
end
output += " [response body: #{response.data[:body]}]"
end
return output
rescue Exception => ex

Просмотреть файл

@ -1,6 +1,6 @@
module LogStash; module Outputs;
class MicrosoftSentinelOutputInternal
VERSION_INFO = [1, 1, 1].freeze
VERSION_INFO = [1, 1, 3].freeze
VERSION = VERSION_INFO.map(&:to_s).join('.').freeze
def self.version

Просмотреть файл

@ -20,8 +20,8 @@ Gem::Specification.new do |s|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
# Gem dependencies
s.add_runtime_dependency "rest-client", ">= 2.1.0"
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
s.add_runtime_dependency "logstash-codec-plain"
s.add_runtime_dependency "excon", ">= 0.88.0"
s.add_development_dependency "logstash-devutils"
end

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -30,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
@ -27,5 +30,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -27,5 +30,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -26,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -35,5 +38,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -28,5 +31,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@ -38,5 +41,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -32,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "ApacheHTTPServer",
"title": "Apache HTTP Server",
"title": "[Deprecated] Apache HTTP Server",
"publisher": "Apache",
"descriptionMarkdown": "The Apache HTTP Server data connector provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Просмотреть файл

@ -2,12 +2,12 @@
"Name": "ApacheHTTPServer",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
"Description": "The Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
"Workbooks": [
"Workbooks/ApacheHTTPServer.json"
],
],
"Parsers": [
"Parsers/ApacheHTTPServer.txt"
"Parsers/ApacheHTTPServer.yaml"
],
"Hunting Queries": [
"Hunting Queries/ApacheFilesErrorRequests.yaml",
@ -24,7 +24,7 @@
"Data Connectors": [
"Data Connectors/Connector_ApacheHTTPServer_agent.json"
],
"Analytic Rules": [
"Analytic Rules": [
"Analytic Rules/ApacheCVE-2021-41773.yaml",
"Analytic Rules/ApacheCommandInURI.yaml",
"Analytic Rules/ApacheKnownMaliciousUserAgents.yaml",
@ -36,9 +36,11 @@
"Analytic Rules/ApacheRequestToRareFile.yaml",
"Analytic Rules/ApacheRequestToSensitiveFiles.yaml"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"BasePath": "C:\\GitHub\\azure\\Solutions\\ApacheHTTPServer",
"Version": "2.0.2",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
"TemplateSpec": true
}

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- Persistence
- CommandAndControl

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- Impact
- InitialAccess

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: ApacheHTTPServer
dataTypes:
- ApacheHTTPServer
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
tactics:
- Impact
- InitialAccess

Двоичные данные
Solutions/ApacheHTTPServer/Package/3.0.0.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ApacheHTTPServer/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs the data connector for ingesting Apache HTTP Server activity and logging events including initial request, mapping process, resolution of the connection, and any errors that may have occurred. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for ApacheHTTPServer. You can get ApacheHTTPServer custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ApacheHttpServer Kusto Function alias."
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@ -323,7 +323,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of files with error requests. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows list of files with error requests. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -337,7 +337,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of files requested This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows list of files requested This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -351,7 +351,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query detects rare files requested This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query detects rare files requested This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -365,7 +365,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -379,7 +379,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare URLs requested. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows rare URLs requested. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -393,7 +393,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare user agents This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows rare user agents This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -407,7 +407,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of requests to unexisting files This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows list of requests to unexisting files This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -421,7 +421,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query detects Unexpected Post Requests This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query detects Unexpected Post Requests This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -435,7 +435,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows URLs list with client errors. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows URLs list with client errors. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]
@ -449,7 +449,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows URLs list with server errors. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
"text": "Query shows URLs list with server errors. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
}
}
]

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Просмотреть файл

@ -0,0 +1,32 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Apache HTTP Server",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 13-08-2024 | Deprecating data connectors |

Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "MongoDB",
"title": "MongoDB Audit",
"title": "[Deprecated] MongoDB Audit",
"publisher": "MongoDB",
"descriptionMarkdown": "MongoDB data connector provides the capability to ingest [MongoDBAudit](https://www.mongodb.com/) into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Просмотреть файл

@ -2,15 +2,18 @@
"Name": "MongoDBAudit",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
"Description": "The [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
"Data Connectors/Connector_MongoDBAudit.json"
],
"Parsers": [
"Parsers/MongoDBAudit.txt"
"Parsers/MongoDBAudit.yaml"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MongoDBAudit",
"Version": "2.0.3",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/MongoDBAudit/Package/3.0.0.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MongoDBAudit/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [MongoDBAudit](https://www.mongodb.com/) solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

Просмотреть файл

@ -30,57 +30,41 @@
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-mongodbaudit",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_solutionName": "MongoDBAudit",
"_solutionVersion": "3.0.0",
"solutionId": "azuresentinel.azure-sentinel-solution-mongodbaudit",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "MongoDB",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "MongoDB",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"parserVersion1": "1.0.0",
"parserContentId1": "MongoDBAudit-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "MongoDBAudit",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','MongoDBAudit')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MongoDBAudit')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MongoDBAudit-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "MongoDBAudit-Parser"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "MongoDBAudit data connector with template",
"displayName": "MongoDBAudit template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MongoDBAudit data connector with template version 2.0.3",
"description": "MongoDBAudit data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -96,7 +80,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "MongoDB Audit",
"title": "[Deprecated] MongoDB Audit",
"publisher": "MongoDB",
"descriptionMarkdown": "MongoDB data connector provides the capability to ingest [MongoDBAudit](https://www.mongodb.com/) into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@ -110,7 +94,7 @@
"sampleQueries": [
{
"description": "MongoDBAudit - All Activities.",
"query": "MongoDBAudit\n | sort by TimeGenerated desc"
"query": "MongoDBAudit_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
@ -278,7 +262,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@ -303,12 +287,23 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] MongoDB Audit",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@ -344,7 +339,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "MongoDB Audit",
"title": "[Deprecated] MongoDB Audit",
"publisher": "MongoDB",
"descriptionMarkdown": "MongoDB data connector provides the capability to ingest [MongoDBAudit](https://www.mongodb.com/) into Microsoft Sentinel. Refer to [MongoDB documentation](https://www.mongodb.com/docs/manual/tutorial/getting-started/) for more information.",
"graphQueries": [
@ -371,7 +366,7 @@
"sampleQueries": [
{
"description": "MongoDBAudit - All Activities.",
"query": "MongoDBAudit\n | sort by TimeGenerated desc"
"query": "MongoDBAudit_CL\n | sort by TimeGenerated desc"
}
],
"availability": {
@ -510,55 +505,38 @@
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "MongoDBAudit Data Parser with template",
"displayName": "MongoDBAudit Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MongoDBAudit Data Parser with template version 2.0.3",
"description": "MongoDBAudit Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "MongoDBAudit",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "MongoDBAudit",
"query": "\nMongoDBAudit_CL\r\n| extend EventVendor = 'MongoDB',\r\n EventProduct = 'MongDB Audit',\r\n EventCount = 1\r\n| extend d=parse_json(RawData)\r\n| extend EventEndTime = todatetime(d['ts']['$date'])\r\n| extend DvcAction = d['atype']\r\n| extend SrcIpAddr = d['remote']['ip']\r\n| extend SrcPortNumber = d['remote']['port']\r\n| extend DstIpAddr = d['local']['ip']\r\n| extend DstPortNumber = d['local']['port']\r\n| extend Users = d['users']\r\n| extend Roles = d['roles']\r\n| extend Parameters = d['param']\r\n| extend EventResultCode = d['result']\r\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\r\n EventResultCode == 18, \"Authentication Failed\",\r\n EventResultCode == 26, \"NamespaceNotFound\",\r\n EventResultCode == 276, \"Index build aborted.\",\r\n EventResultCode == 334, \"Mechanism Unavailable\",\r\n \"Success\")\r\n| project-away d, RawData",
"version": 1,
"query": "MongoDBAudit_CL\n| extend EventVendor = 'MongoDB',\n EventProduct = 'MongDB Audit',\n EventCount = 1\n| extend d=parse_json(RawData)\n| extend EventEndTime = todatetime(d['ts']['$date'])\n| extend DvcAction = d['atype']\n| extend SrcIpAddr = d['remote']['ip']\n| extend SrcPortNumber = d['remote']['port']\n| extend DstIpAddr = d['local']['ip']\n| extend DstPortNumber = d['local']['port']\n| extend Users = d['users']\n| extend Roles = d['roles']\n| extend Parameters = d['param']\n| extend EventResultCode = d['result']\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\n EventResultCode == 18, \"Authentication Failed\",\n EventResultCode == 26, \"NamespaceNotFound\",\n EventResultCode == 276, \"Index build aborted.\",\n EventResultCode == 334, \"Mechanism Unavailable\",\n \"Success\")\n| project-away d, RawData\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": "MongoDBAudit"
"value": ""
}
]
}
@ -566,15 +544,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MongoDBAudit')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "MongoDBAudit",
"kind": "Solution",
@ -593,36 +571,54 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "MongoDBAudit",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"apiVersion": "2022-10-01",
"name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "MongoDBAudit",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "MongoDBAudit",
"query": "\nMongoDBAudit_CL\r\n| extend EventVendor = 'MongoDB',\r\n EventProduct = 'MongDB Audit',\r\n EventCount = 1\r\n| extend d=parse_json(RawData)\r\n| extend EventEndTime = todatetime(d['ts']['$date'])\r\n| extend DvcAction = d['atype']\r\n| extend SrcIpAddr = d['remote']['ip']\r\n| extend SrcPortNumber = d['remote']['port']\r\n| extend DstIpAddr = d['local']['ip']\r\n| extend DstPortNumber = d['local']['port']\r\n| extend Users = d['users']\r\n| extend Roles = d['roles']\r\n| extend Parameters = d['param']\r\n| extend EventResultCode = d['result']\r\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\r\n EventResultCode == 18, \"Authentication Failed\",\r\n EventResultCode == 26, \"NamespaceNotFound\",\r\n EventResultCode == 276, \"Index build aborted.\",\r\n EventResultCode == 334, \"Mechanism Unavailable\",\r\n \"Success\")\r\n| project-away d, RawData",
"version": 1
"query": "MongoDBAudit_CL\n| extend EventVendor = 'MongoDB',\n EventProduct = 'MongDB Audit',\n EventCount = 1\n| extend d=parse_json(RawData)\n| extend EventEndTime = todatetime(d['ts']['$date'])\n| extend DvcAction = d['atype']\n| extend SrcIpAddr = d['remote']['ip']\n| extend SrcPortNumber = d['remote']['port']\n| extend DstIpAddr = d['local']['ip']\n| extend DstPortNumber = d['local']['port']\n| extend Users = d['users']\n| extend Roles = d['roles']\n| extend Parameters = d['param']\n| extend EventResultCode = d['result']\n| extend EventResult = case(EventResultCode == 13, \"Unauthorized to perform the operation.\",\n EventResultCode == 18, \"Authentication Failed\",\n EventResultCode == 26, \"NamespaceNotFound\",\n EventResultCode == 276, \"Index build aborted.\",\n EventResultCode == 334, \"Mechanism Unavailable\",\n \"Success\")\n| project-away d, RawData\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": ""
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MongoDBAudit')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "MongoDBAudit",
@ -641,13 +637,20 @@
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.3",
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentSchemaVersion": "3.0.0",
"displayName": "MongoDBAudit",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MongoDBAudit/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.mongodb.com/\">MongoDBAudit</a> solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to <a href=\"https://www.mongodb.com/docs/manual/tutorial/getting-started/\">MongoDB documentation</a> for more information.</p>\n<p>This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE</strong>: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@ -666,7 +669,6 @@
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
@ -675,8 +677,12 @@
},
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
"contentId": "[variables('parserObject1').parserContentId1]",
"version": "[variables('parserObject1').parserVersion1]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama"
}
]
},

Просмотреть файл

@ -0,0 +1,24 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
}

Просмотреть файл

@ -1,23 +0,0 @@
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
MongoDBAudit_CL
| extend EventVendor = 'MongoDB',
EventProduct = 'MongDB Audit',
EventCount = 1
| extend d=parse_json(RawData)
| extend EventEndTime = todatetime(d['ts']['$date'])
| extend DvcAction = d['atype']
| extend SrcIpAddr = d['remote']['ip']
| extend SrcPortNumber = d['remote']['port']
| extend DstIpAddr = d['local']['ip']
| extend DstPortNumber = d['local']['port']
| extend Users = d['users']
| extend Roles = d['roles']
| extend Parameters = d['param']
| extend EventResultCode = d['result']
| extend EventResult = case(EventResultCode == 13, "Unauthorized to perform the operation.",
EventResultCode == 18, "Authentication Failed",
EventResultCode == 26, "NamespaceNotFound",
EventResultCode == 276, "Index build aborted.",
EventResultCode == 334, "Mechanism Unavailable",
"Success")
| project-away d, RawData

Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.0 | 08-08-2024 | Deprecating data connectors |

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -27,5 +30,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -26,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: ProcessId
columnName: ProcessIdCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: MalwareCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -26,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -40,5 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -30,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "NGINXHTTPServer",
"title": "NGINX HTTP Server",
"title": "[Deprecated] NGINX HTTP Server",
"publisher": "Nginx",
"descriptionMarkdown": "The NGINX HTTP Server data connector provides the capability to ingest [NGINX](https://nginx.org/en/) HTTP Server events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Просмотреть файл

@ -2,12 +2,12 @@
"Name": "NGINX HTTP Server",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
"Description": "The [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
"Workbooks": [
"Workbooks/NGINX.json"
],
"Parsers": [
"Parsers/NGINXHTTPServer.txt"
"Parsers/NGINXHTTPServer.yaml"
],
"Hunting Queries": [
"Hunting Queries/NGINXUncommonUAsString.yaml",
@ -36,9 +36,12 @@
"Analytic Rules/NGINXRequestToSensitiveFiles.yaml",
"Analytic Rules/NGINXSqlPattern.yaml"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\NGINX HTTP Server",
"Version": "2.0.2",
"Version": "3.0.0",
"TemplateSpec": true,
"Is1Pconnector": false
}

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- Exfiltration
- Collection

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- Impact
- InitialAccess

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- Impact
- InitialAccess

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: NGINXHTTPServer
dataTypes:
- NGINXHTTPServer
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
tactics:
- InitialAccess
relevantTechniques:

Двоичные данные
Solutions/NGINX HTTP Server/Package/3.0.0.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NGINX%20HTTP%20Server/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [NGINX](https://nginx.org/) HTTP Server data connector provides the capability to ingest [NGINX HTTP Server](https://nginx.org/#basic_http_features) events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The NGINX HTTP Server data connector provides the capability to ingestNGINX HTTP Serverevents into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for NGINX HTTP Server. You can get NGINX HTTP Server custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seThe solution also installs a parser that transforms ingested data. The transformed logs can be accessed using the NGINXHTTPServer Kusto Function aliasamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@ -323,7 +323,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches uncommon user agent strings. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query searches uncommon user agent strings. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -337,7 +337,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows abnormal request size. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows abnormal request size. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -351,7 +351,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare files requested This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows rare files requested This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -365,7 +365,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare URLs requested. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows rare URLs requested. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -379,7 +379,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches requests from bots and crawlers. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query searches requests from bots and crawlers. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -393,7 +393,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of requests to unexisting files This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows list of requests to unexisting files This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -407,7 +407,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of files requested This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows list of files requested This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -421,7 +421,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of files with error requests. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows list of files with error requests. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -435,7 +435,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows URLs list with client errors. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows URLs list with client errors. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]
@ -449,7 +449,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows URLs list with server errors. This hunting query depends on NGINXHTTPServer data connector (NGINXHTTPServer Parser or Table)"
"text": "Query shows URLs list with server errors. This hunting query depends on NGINXHTTPServer CustomLogsAma data connector (NGINXHTTPServer NGINX_CL Parser or Table)"
}
}
]

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Просмотреть файл

@ -0,0 +1,32 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "NGINX HTTP Server",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

Просмотреть файл

@ -1,52 +0,0 @@
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let nginx_accesslog_events =() {
NGINX_CL
| where RawData matches regex @'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\[.*\]\s\"(GET|POST).*?\"\s([1-5][0-9]{2})\s(\d+)\s\"(.*?)\"\s\"(.*?)\".*'
| extend EventProduct = 'NGINX'
| extend EventType = 'AccessLog'
| extend EventData = split(RawData, '"')
| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')
| extend SubEventData1 = split(EventData[1], ' ')
| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')
| extend SrcIpAddr = tostring(SubEventData0[0])
| extend SrcUserName = SubEventData0[2]
| extend EventStartTime = todatetime(replace(@'\/', @'-', replace(@'(\d{2}\/\w{3}\/\d{4}):(\d{2}\:\d{2}\:\d{2})', @'\1 \2', extract(@'\[(.*?)\+\d+\]', 1, RawData))))
| extend HttpRequestMethod = SubEventData1[0]
| extend UrlOriginal = SubEventData1[1]
| extend HttpVersion = SubEventData1[2]
| extend HttpStatusCode = SubEventData2[0]
| extend HttpResponseBodyBytes = SubEventData2[1]
| extend HttpReferrerOriginal = EventData[3]
| extend HttpUserAgentOriginal = EventData[5]
};
let nginx_errorlog_events=() {
NGINX_CL
| where RawData matches regex @'\A\d{4}\/\d{2}\/\d{2}\s+\d{2}\:\d{2}\:\d{2}\s+\[.*?\]\s\d+\#\d+\:'
| extend EventProduct = 'NGINX'
| extend EventType = 'ErrorLog'
| extend EventType = 'ErrorLog'
| extend EventSeverity = extract(@'\[(.*?)\]', 1, RawData)
| extend EventStartTime = todatetime(replace(@'\/', '-', extract(@'\A(.*?)\s\[', 1, RawData)))
| extend SrcIpAddr = extract(@'client: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, RawData)
| extend ProcessId = extract(@'\]\s(\d+)\#', 1, RawData)
| extend ThreadId = extract(@'\]\s\d+\#(\d+)\:', 1, RawData)
| extend EventMessage = extract(@'\d+\#\d+\:\s(.*)', 1, RawData)
};
union isfuzzy=true nginx_accesslog_events, nginx_errorlog_events
| project TimeGenerated
, EventProduct
, EventType
, EventSeverity
, EventStartTime
, SrcIpAddr
, SrcUserName
, HttpRequestMethod
, UrlOriginal
, HttpVersion
, HttpStatusCode
, HttpResponseBodyBytes
, HttpReferrerOriginal
, HttpUserAgentOriginal
, ProcessId
, ThreadId
, EventMessage

Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.0 | 08-08-2024 | Deprecating data connectors |

Просмотреть файл

@ -4,7 +4,7 @@
"firstPublishDate": "2021-12-16",
"providers": ["Nginx"],
"categories": {
"domains" : ["Security Network", "Networking","DevOps"]
"domains" : ["Security - Network", "Networking","DevOps"]
},
"support": {
"name": "Microsoft Corporation",

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
@ -26,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@ -26,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
@ -27,5 +30,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -40,5 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -39,5 +42,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
@ -32,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "OracleWebLogicServer",
"title": "Oracle WebLogic Server",
"title": "[Deprecated] Oracle WebLogic Server",
"publisher": "Oracle",
"descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

Просмотреть файл

@ -2,7 +2,7 @@
"Name": "OracleWebLogicServer",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n",
"Description": "The [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
"Workbooks": [
"Workbooks/OracleWorkbook.json"
],
@ -35,10 +35,13 @@
"Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml",
"Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml",
"Analytic Rules/OracleWebLogicRequestToSensitiveFiles.yaml"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OracleWebLogicServer",
"Version": "3.0.0",
"Version": "3.0.1",
"TemplateSpec": true,
"Is1PConnector": false
}

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- Exfiltration
- Collection

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- DefenseEvasion
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- InitialAccess
relevantTechniques:

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- Impact
- InitialAccess

Просмотреть файл

@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: OracleWebLogicServer
dataTypes:
- OracleWebLogicServerEvent
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
tactics:
- Impact
- InitialAccess

Двоичные данные
Solutions/OracleWebLogicServer/Package/3.0.0.zip

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OracleWebLogicServer/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -323,7 +323,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows request to forbidden files. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows request to forbidden files. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -337,7 +337,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows abnormal request size. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows abnormal request size. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -351,7 +351,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows critical event severity This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows critical event severity This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -365,7 +365,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows error messages. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows error messages. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -379,7 +379,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows list of files with error requests. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows list of files with error requests. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -393,7 +393,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare user agent strings with client errors This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows rare user agent strings with client errors This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -407,7 +407,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare URLs requested. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows rare URLs requested. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -421,7 +421,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows rare user agents This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows rare user agents This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -435,7 +435,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows URLs list with client errors. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows URLs list with client errors. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]
@ -449,7 +449,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query shows URLs list with server errors. This hunting query depends on OracleWebLogicServer data connector (OracleWebLogicServerEvent Parser or Table)"
"text": "Query shows URLs list with server errors. This hunting query depends on OracleWebLogicServer CustomLogsAma data connector (OracleWebLogicServerEvent OracleWebLogicServer_CL Parser or Table)"
}
}
]

Просмотреть файл

@ -118,74 +118,74 @@
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.1",
"analyticRuleVersion1": "1.0.2",
"_analyticRulecontentId1": "6ae36a5e-573f-11ec-bf63-0242ac130002",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ae36a5e-573f-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ae36a5e-573f-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ae36a5e-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ae36a5e-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.1",
"analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "44c7d12a-573f-11ec-bf63-0242ac130002",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44c7d12a-573f-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44c7d12a-573f-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44c7d12a-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44c7d12a-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.1",
"analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "67950168-5740-11ec-bf63-0242ac130002",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '67950168-5740-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('67950168-5740-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67950168-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67950168-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.1",
"analyticRuleVersion4": "1.0.2",
"_analyticRulecontentId4": "51d050ee-5740-11ec-bf63-0242ac130002",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '51d050ee-5740-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('51d050ee-5740-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','51d050ee-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','51d050ee-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.0.1",
"analyticRuleVersion5": "1.0.2",
"_analyticRulecontentId5": "41775080-5740-11ec-bf63-0242ac130002",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '41775080-5740-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('41775080-5740-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41775080-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41775080-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject6": {
"analyticRuleVersion6": "1.0.1",
"analyticRuleVersion6": "1.0.2",
"_analyticRulecontentId6": "268f4fde-5740-11ec-bf63-0242ac130002",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '268f4fde-5740-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('268f4fde-5740-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','268f4fde-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','268f4fde-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.0.1",
"analyticRuleVersion7": "1.0.2",
"_analyticRulecontentId7": "153ce6d8-5740-11ec-bf63-0242ac130002",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '153ce6d8-5740-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('153ce6d8-5740-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','153ce6d8-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','153ce6d8-5740-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject8": {
"analyticRuleVersion8": "1.0.0",
"analyticRuleVersion8": "1.0.1",
"_analyticRulecontentId8": "033e98d2-5740-11ec-bf63-0242ac130002",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '033e98d2-5740-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('033e98d2-5740-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','033e98d2-5740-11ec-bf63-0242ac130002','-', '1.0.0')))]"
"_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','033e98d2-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]"
},
"analyticRuleObject9": {
"analyticRuleVersion9": "1.0.1",
"analyticRuleVersion9": "1.0.2",
"_analyticRulecontentId9": "edc2f2b4-573f-11ec-bf63-0242ac130002",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edc2f2b4-573f-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edc2f2b4-573f-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edc2f2b4-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edc2f2b4-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"analyticRuleObject10": {
"analyticRuleVersion10": "1.0.1",
"analyticRuleVersion10": "1.0.2",
"_analyticRulecontentId10": "9cc9ed36-573f-11ec-bf63-0242ac130002",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cc9ed36-573f-11ec-bf63-0242ac130002')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cc9ed36-573f-11ec-bf63-0242ac130002')))]",
"_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cc9ed36-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]"
"_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cc9ed36-573f-11ec-bf63-0242ac130002','-', '1.0.2')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
@ -1285,7 +1285,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Oracle WebLogic Server (using Azure Functions)",
"title": "[Deprecated] Oracle WebLogic Server",
"publisher": "Oracle",
"descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@ -1476,7 +1476,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "Oracle WebLogic Server (using Azure Functions)",
"displayName": "[Deprecated] Oracle WebLogic Server",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
@ -1520,7 +1520,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Oracle WebLogic Server (using Azure Functions)",
"title": "[Deprecated] Oracle WebLogic Server",
"publisher": "Oracle",
"descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.",
"graphQueries": [
@ -1696,7 +1696,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -1714,10 +1714,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServerEvent"
]
}
],
"tactics": [
@ -1729,13 +1735,13 @@
],
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
"columnName": "UrlCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
}
]
}
@ -1801,7 +1807,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -1819,10 +1825,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -1834,13 +1846,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -1906,7 +1918,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -1924,10 +1936,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -1938,13 +1956,13 @@
],
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
"columnName": "UrlCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
}
]
}
@ -2010,7 +2028,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2028,10 +2046,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2043,13 +2067,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -2115,7 +2139,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2133,10 +2157,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2148,13 +2178,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -2220,7 +2250,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2238,10 +2268,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2255,13 +2291,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -2327,7 +2363,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2345,10 +2381,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2360,22 +2402,22 @@
],
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
"columnName": "UrlCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -2441,7 +2483,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2459,10 +2501,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2474,22 +2522,22 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
"columnName": "UrlCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
}
]
}
@ -2555,7 +2603,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2573,10 +2621,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2590,31 +2644,31 @@
],
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "FileCustomEntity"
"columnName": "FileCustomEntity",
"identifier": "Name"
}
]
],
"entityType": "File"
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
"columnName": "UrlCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -2680,7 +2734,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2698,10 +2752,16 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "OracleWebLogicServer",
"dataTypes": [
"OracleWebLogicServerEvent"
],
"connectorId": "OracleWebLogicServer"
]
},
{
"connectorId": "CustomLogsAma",
"dataTypes": [
"OracleWebLogicServer_CL"
]
}
],
"tactics": [
@ -2712,22 +2772,22 @@
],
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "FileCustomEntity"
"columnName": "FileCustomEntity",
"identifier": "Name"
}
]
],
"entityType": "File"
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
"columnName": "UrlCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
}
]
}
@ -2784,7 +2844,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "OracleWebLogicServer",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.oracle.com/index.html\">Oracle</a> WebLogic Server solution for Microsoft Sentinel provides the capability to ingest <a href=\"https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html\">Oracle Web Logic Server</a> events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OracleWebLogicServer/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.oracle.com/index.html\">Oracle</a> WebLogic Server solution for Microsoft Sentinel provides the capability to ingest <a href=\"https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html\">Oracle Web Logic Server</a> events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.</p>\n<p>This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE</strong>: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024</strong>. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -2807,7 +2867,6 @@
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Workbook",
@ -2923,6 +2982,10 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama"
}
]
},

Просмотреть файл

@ -1,3 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------------------------------------|
| 3.0.1 | 09-08-2024 | Deprecating data connectors |
| 3.0.0 | 15-12-2023 | Updated the **Parser** field TreadId to ThreadId |

Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "PostgreSQL",
"title": "PostgreSQL Events",
"title": "[Deprecated] PostgreSQL Events",
"publisher": "PostgreSQL",
"descriptionMarkdown": "PostgreSQL data connector provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **PostgreSQLEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-postgresql-parser)",

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше