Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3056 from techwriter-dev/nxlog-dns-logs-solution 

Nxlog dns logs solution
This commit is contained in:
v-jayakal 2021-10-06 22:38:11 -07:00 коммит произвёл GitHub
Родитель 228d404ad3 1c032529ea
Коммит ed744b5514
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 41032 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

40694
Sample Data/Custom/NXLog_DNS_Server_CL.json Executable file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

102
Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json Normal file
Просмотреть файл

@ -0,0 +1,102 @@
{
"id": "NXLogDnsLogs",
"title": "NXLog DNS Logs",
"publisher": "NXLog",
"descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Azure Sentinel in real time.",
"additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**ASimDnsMicrosoftNXLog **](https://aka.ms/sentinel-nxlogdnslogs-parser) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ASimDnsMicrosoftNXLog ",
"baseQuery": "ASimDnsMicrosoftNXLog "
}
],
"sampleQueries": [
{
"description" : "DNS Server top 5 hostlookups",
"query": "ASimDnsMicrosoftNXLog \n| summarize count() by Domain\n| take 5\n| render piechart title='Top 5 host lookups'"
},
{
"description" : "DNS Server Top 5 EventOriginalTypes (Event IDs)",
"query" : "ASimDnsMicrosoftNXLog \n| extend EventID=strcat('Event ID ',trim_end('.0',tostring(EventOriginalType)))\n| summarize CountByEventID=count() by EventID\n| sort by CountByEventID\n| take 5\n| render piechart title='Top 5 EventOriginalTypes (Event IDs)'"
},
{
"description" : "DNS Server analytical events per second (EPS)",
"query" : "ASimDnsMicrosoftNXLog \n| where EventEndTime >= todatetime('2021-09-17 03:07')\n| where EventEndTime < todatetime('2021-09-18 03:14')\n| summarize EPS=count() by bin(EventEndTime, 1s)\n| render timechart title='DNS analytical events per second (EPS) - All event types'"
}
],
"dataTypes": [
{
"name": "NXLog_DNS_Server_CL",
"lastDataReceivedQuery": "ASimDnsMicrosoftNXLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"NXLog_DNS_Server_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**ASimDnsMicrosoftNXLog **](https://aka.ms/sentinel-nxlogdnslogs-parser) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities.",
"instructions": [
]
},
{
"title": "",
"description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}

236
Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.txt Normal file
Просмотреть файл

@ -0,0 +1,236 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "ASimDnsMicrosoftNXLog" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Parameters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. ASimDnsMicrosoftNXLog | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let ASimDnsMicrosoftNXLog = view () {
let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[
256, 'Query'
, 257, 'Query'
, 258, 'Query'
, 259, 'Query'
, 260, 'Query'
, 261, 'Query'
, 262, 'Query'
, 263, 'Dynamic update'
, 264, 'Dynamic update'
, 265, 'Zone XFR'
, 266, 'Zone XFR'
, 267, 'Zone XFR'
, 268, 'Zone XFR'
, 269, 'Zone XFR'
, 270, 'Zone XFR'
, 271, 'Zone XFR'
, 272, 'Zone XFR'
, 273, 'Zone XFR'
, 274, 'Zone XFR'
, 275, 'Zone XFR'
, 276, 'Zone XFR'
, 277, 'Dynamic update'
, 278, 'Dynamic update'
, 279, 'Query'
, 280, 'Query'
];
let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[
256, 'request'
, 257, 'response'
, 258, 'response'
, 259, 'response'
, 260, 'request'
, 261, 'response'
, 262, 'response'
, 263, 'request'
, 264, 'response'
, 265, 'request'
, 266, 'request'
, 267, 'response'
, 268, 'response'
, 269, 'request'
, 270, 'request'
, 271, 'response'
, 272, 'response'
, 273, 'request'
, 274, 'request'
, 275, 'response'
, 276, 'response'
, 277, 'request'
, 278, 'response'
, 279, 'NA'
, 280, 'NA'
];
let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[
256, 'NA'
, 257, 'Success'
, 258, 'Failure'
, 259, 'Failure'
, 260, 'NA'
, 261, 'NA'
, 262, 'Failure'
, 263, 'NA'
, 264, 'Based on RCODE'
, 265, 'NA'
, 266, 'NA'
, 267, 'Based on RCODE'
, 268, 'Based on RCODE'
, 269, 'NA'
, 270, 'NA'
, 271, 'Based on RCODE'
, 272, 'Based on RCODE'
, 273, 'NA'
, 274, 'NA'
, 275, 'Success'
, 276, 'Success'
, 277, 'NA'
, 278, 'Based on RCODE'
, 279, 'NA'
, 280, 'NA'
];
let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[
0,'NOERROR'
, 1,'FORMERR'
, 2,'SERVFAIL'
, 3,'NXDOMAIN'
, 4,'NOTIMP'
, 5,'REFUSED'
, 6,'YXDOMAIN'
, 7,'YXRRSET'
, 8,'NXRRSET'
, 9,'NOTAUTH'
, 10,'NOTZONE'
, 11,'DSOTYPENI'
, 16,'BADVERS'
, 16,'BADSIG'
, 17,'BADKEY'
, 18,'BADTIME'
, 19,'BADMODE'
, 20,'BADNAME'
, 21,'BADALG'
, 22,'BADTRUNC'
, 23,'BADCOOKIE'
];
let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[
0, 'Reserved'
, 1, 'A'
, 2, 'NS'
, 3, 'MD'
, 4, 'MF'
, 5, 'CNAME'
, 6, 'SOA'
, 7, 'MB'
, 8 ,'MG'
, 9 ,'MR'
, 10,'NULL'
, 11,'WKS'
, 12,'PTR'
, 13,'HINFO'
, 14,'MINFO'
, 15,'MX'
, 16,'TXT'
, 17,'RP'
, 18,'AFSDB'
, 19,'X25'
, 20,'ISDN'
, 21,'RT'
, 22,'NSAP'
, 23,'NSAP-PTR'
, 24,'SIG'
, 25,'KEY'
, 26,'PX'
, 27,'GPOS'
, 28,'AAAA'
, 29,'LOC'
, 30,'NXT'
, 31,'EID'
, 32,'NIMLOC'
, 33,'SRV'
];
NXLog_DNS_Server_CL
| where EventID_d < 281
| project-rename
DnsFlags=Flags_s,
DnsQuery=QNAME_s,
DnsQueryType=QTYPE_s,
DnsResponseCode=RCODE_s,
DnsResponseName=PacketData_s,
Dvc=Hostname_s,
DvcIpAddr=HostIP_s,
EventOriginalType=EventID_d,
EventOriginalUid=GUID_g,
EventStartTime=EventTime_t,
SrcPortNumber=Port_s,
SrcIpAddr=Source_s
| extend
DnsQuery=trim_end(".",DnsQuery),
DnsQueryType=toint(DnsQueryType),
DnsResponseCode=toint(DnsResponseCode),
DvcHostname=Dvc,
EventEndTime=EventStartTime,
EventProduct="Microsoft DNS Server",
EventSchemaVersion="0.1.1",
EventVendor="Microsoft",
NetworkProtocol=iff(TCP_s == "0","UDP","TCP"),
TransactionIdHex=tohex(toint(XID_s))
| lookup EventTypeTable on EventOriginalType
| lookup EventSubTypeTable on EventOriginalType
| lookup EventResultTable on EventOriginalType
| lookup RCodeTable on DnsResponseCode
| lookup QTypeTable on DnsQueryType
| extend
EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName
, DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'
, 'Unassigned')
| extend
Domain=DnsQuery,
DnsResponseCodeName=EventResultDetails,
DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName
, DnsQueryType between (66 .. 98), 'Unassigned'
, DnsQueryType between (110 .. 248), 'Unassigned'
, DnsQueryType between (261 .. 32767), 'Unassigned'
, 'Unassigned'),
EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult)
| project-away
AA_s,
AD_s,
AdditionalInfo_s,
BufferSize_s,
AccountName_s,
AccountType_s,
CacheScope_s,
ChannelID_d,
Destination_s,
DNSSEC_s,
Domain_s,
ElapsedTime_s,
EventReceivedTime_t,
EventType_s,
ExecutionProcessID_d,
ExecutionThreadID_d,
InterfaceIP_s,
Keywords_s,
OpcodeValue_d,
PolicyName_s,
ProviderGuid_g,
QXID_s,
RD_s,
Reason_s,
RecursionDepth_s,
RecursionScope_s,
ResponseCodeName,
Scope_s,
Severity_s,
SeverityValue_d,
SourceModuleName_s,
SourceModuleType_s,
SourceName_s,
TaskValue_d,
TCP_s,
UserID_s,
Version_d,
XID_s,
Zone_s
};
ASimDnsMicrosoftNXLog();