Merge pull request #10736 from Azure/v-rusraut/CEFOverviewWorkbookAdded

CEFOverview workbook added

Solutions/Common Event Format/Data/Solution_CommonEventFormat.json

@@ -1,15 +1,18 @@
 {
-	"Name": "Common Event Format",
-	"Author": "Microsoft - support@microsoft.com",
-	"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-	"Description": "The Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the [Common Event Format (CEF) over Syslog messages](https://docs.microsoft.com/azure/sentinel/connect-common-event-format). \n\nInstalling this solution will deploy two data connectors,\n\r\n1. Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector\r\n2. Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\r\n<P style=\"color:red\">**NOTE**: Microsoft recommends Installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.</p>\n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
-	"Data Connectors": [
-		"Data Connectors/CEF.json",
-		"Data Connectors/CEF AMA.json"
-	],
-	"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Common Event Format",
-	"Version": "2.0.2",
-	"Metadata": "SolutionMetadata.json",
-	"TemplateSpec": true,
-	"Is1PConnector": true
+    "Name": "Common Event Format",
+    "Author": "Microsoft - support@microsoft.com",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the [Common Event Format (CEF) over Syslog messages](https://docs.microsoft.com/azure/sentinel/connect-common-event-format). \n\nInstalling this solution will deploy two data connectors,\n\r\n1. Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector\r\n2. Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\r\n<P style=\"color:red\">**NOTE**: Microsoft recommends Installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.</p>\n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+    "Data Connectors": [
+    "Data Connectors/CEF.json",
+    "Data Connectors/CEF AMA.json"
+    ],
+    "Workbooks": [
+    "Workbooks/CEFOverviewWorkbook.json"
+  ],
+    "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Common Event Format",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": true
 }

Solutions/Common Event Format/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Common%20Event%20Format/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the [Common Event Format (CEF) over Syslog messages](https://docs.microsoft.com/azure/sentinel/connect-common-event-format). \n\nInstalling this solution will deploy two data connectors,\n\r\n1. Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector\r\n2. Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\r\n<P style=\"color:red\">**NOTE**: Microsoft recommends Installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.</p>\n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Common%20Event%20Format/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the [Common Event Format (CEF) over Syslog messages](https://docs.microsoft.com/azure/sentinel/connect-common-event-format). \n\nInstalling this solution will deploy two data connectors,\n\r\n1. Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector\r\n2. Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\r\n<P style=\"color:red\">**NOTE**: Microsoft recommends Installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.</p>\n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -56,39 +56,11 @@
         "label": "Data Connectors",
         "bladeTitle": "Data Connectors",
         "elements": [
-		   {
+          {
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "Installing this solution will deploy two data connectors,"
-            }
-          },
-		  {
-            "name": "dataconnectors2-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "1. Common Event Format via AMA – This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here (https://learn.microsoft.com/azure/sentinel/connect-cef-ama). Microsoft recommends using this Data Connector."
-            }
-          },
-		   {
-            "name": "dataconnectors3-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "2. Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent. NOTE: Microsoft recommends installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported."
-            }
-          },
-		    {
-            "name": "dataconnectors4-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "NOTE: Microsoft recommends installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported."
-            }
-          },
-		    {
-            "name": "dataconnectors5-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "After installing the solution, configure and enable the data connector(s) by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Common Event Format. You can get Common Event Format CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -102,6 +74,48 @@
             }
           }
         ]
+      },
+      {
+        "name": "workbooks",
+        "label": "Workbooks",
+        "subLabel": {
+          "preValidation": "Configure the workbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Workbooks",
+        "elements": [
+          {
+            "name": "workbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+            }
+          },
+          {
+            "name": "workbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+              }
+            }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "Common Event Format Logs Overview",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This Workbook gives an overview of ingestion of logs in the CommonSecurityLog table."
+                }
+              }
+            ]
+          }
+        ]
       }
     ],
     "outputs": {
@@ -110,4 +124,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}

Solutions/Common Event Format/Package/testParameters.json

@@ -20,5 +20,13 @@
     "metadata": {
       "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
     }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "Common Event Format Logs Overview",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
   }
 }

Solutions/Common Event Format/ReleaseNotes.md

@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                           |
 |-------------|--------------------------------|------------------------------------------------------------------------------|
+| 3.0.1       | 04-07-2024                     | CEFOverview workbook added                                                   |
 | 3.0.0       | 22-05-2024                     | Updated connectivity criteria for **Data Connector**   					  |