Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Repackaging BroadcomSymantecDLP, Cisco UCS, CiscoMeraki

This commit is contained in:
v-rbajaj 2023-03-09 12:55:59 +05:30
Родитель 79308d0fef
Коммит f3113391c3
18 изменённых файлов: 54 добавлений и 58 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Solutions/Broadcom SymantecDLP/Data Connectors/Connector_Syslog_SymantecDLP.json
Просмотреть файл

@ -52,7 +52,7 @@
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-symantecdlp-parser) to use the Kusto function alias, **SymantecDLP**",
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Broadcom%20SymantecDLP/Parsers/SymantecDLP.txt). The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
]
},

2
Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json
Просмотреть файл

@ -10,7 +10,7 @@
"Parsers/SymantecDLP.txt"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Broadcom SymantecDLP",
"Version": "2.0.1",
"Version": "2.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Broadcom SymantecDLP/Package/2.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json
Просмотреть файл

@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Broadcom Symantec DLP creates custom dashboards, alerts, and improve investigation. This gives you more insight into your organizations information, where it travels, and improves your security operation capabilities. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Broadcom SymantecDLP. You can get Broadcom SymantecDLP CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{

10
Solutions/Broadcom SymantecDLP/Package/mainTemplate.json
Просмотреть файл

@ -80,7 +80,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Broadcom SymantecDLP data connector with template version 2.0.1",
"description": "Broadcom SymantecDLP data connector with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -161,7 +161,7 @@
},
"instructionSteps": [
{
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-symantecdlp-parser) to use the Kusto function alias, **SymantecDLP**"
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Broadcom%20SymantecDLP/Parsers/SymantecDLP.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@ -350,7 +350,7 @@
},
"instructionSteps": [
{
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-symantecdlp-parser) to use the Kusto function alias, **SymantecDLP**"
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Broadcom%20SymantecDLP/Parsers/SymantecDLP.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@ -436,7 +436,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "SymantecDLP Data Parser with template version 2.0.1",
"description": "SymantecDLP Data Parser with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -545,7 +545,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.1",
"version": "2.0.2",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

6
Solutions/Broadcom SymantecDLP/Parsers/SymantecDLP.txt
Просмотреть файл

@ -7,12 +7,6 @@
// DESCRIPTION:
// This parser takes raw Symantec DLP logs from a Syslog stream and parses the logs into a normalized schema.
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
// It is recommended to name the Function Alias, as SymantecDLP
// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//

2
Solutions/Cisco UCS/Data Connectors/Connector_Syslog_CiscoUCS.json
Просмотреть файл

@ -62,7 +62,7 @@
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-ciscoucs-function) to use the Kusto function alias, **CiscoUCS**",
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20UCS/Parsers/CiscoUCS.txt). The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
]
},

2
Solutions/Cisco UCS/Data/Solution_Cisco UCS.json
Просмотреть файл

@ -10,7 +10,7 @@
"Parsers/CiscoUCS.txt"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Cisco UCS",
"Version": "2.0.0",
"Version": "2.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Cisco UCS/Package/2.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Cisco UCS/Package/createUiDefinition.json
Просмотреть файл

@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "TheCisco Unified Computing System (UCS)connector allows you to connect your Cisco UCS faults, events, and audit logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Cisco UCS. You can get Cisco UCS Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{

18
Solutions/Cisco UCS/Package/mainTemplate.json
Просмотреть файл

@ -41,7 +41,7 @@
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-DataConnector-',variables('_dataConnectorContentId1'))]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"parserVersion1": "1.0.0",
"parserContentId1": "CiscoUCS-Parser",
@ -50,7 +50,7 @@
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-Parser-',variables('_parserContentId1'))]"
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
},
"resources": [
{
@ -80,7 +80,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Cisco UCS data connector with template version 2.0.0",
"description": "Cisco UCS data connector with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -157,7 +157,7 @@
},
"instructionSteps": [
{
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-ciscoucs-function) to use the Kusto function alias, **CiscoUCS**"
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20UCS/Parsers/CiscoUCS.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@ -254,6 +254,7 @@
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
@ -344,7 +345,7 @@
},
"instructionSteps": [
{
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-ciscoucs-function) to use the Kusto function alias, **CiscoUCS**"
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20UCS/Parsers/CiscoUCS.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@ -433,7 +434,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoUCS Data Parser with template version 2.0.0",
"description": "CiscoUCS Data Parser with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -497,6 +498,7 @@
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "CiscoUCS",
@ -509,6 +511,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
@ -538,8 +541,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"version": "2.0.1",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

8
Solutions/Cisco UCS/Parsers/CiscoUCS.txt
Просмотреть файл

@ -7,14 +7,6 @@
// DESCRIPTION:
// This parser takes raw Cisco UCS logs from a Syslog stream and parses the Audit, Fault and Event logs into a normalized schema.
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. In the query window, on the second line of the query, enter the hostname(s) of your Cisco UCS device(s) and any other unique identifiers for the logstream.
// For example: | where Computer in ("server1" , "server2")
// 3. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
// It is recommended to name the Function Alias, as CiscoUCS
// 4. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//

2
Solutions/CiscoMeraki/Data Connectors/Connector_Syslog_CiscoMeraki.json
Просмотреть файл

@ -62,7 +62,7 @@
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser (based on a Kusto Function) to work as expected. You have 2 options to get this parser into workspace\n\n> 1. If you have installed this connector via Meraki solution in ContentHub then navigate to parser definition from your workspace (Logs --> Functions --> CiscoMeraki --> Load the function code) to add your Meraki device list in the query and save the function.\n\n> 2. If you have not installed the Meraki solution from ContentHub then [Follow the steps](https://aka.ms/sentinel-ciscomeraki-parser) to use the Kusto function alias, **CiscoMeraki**",
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt). The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
]
},

Двоичные данные
Solutions/CiscoMeraki/Package/2.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

22
Solutions/CiscoMeraki/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Connector/MerakiConnector/logo.jpg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Cisco Meraki](https://meraki.cisco.com/) solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.\r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Connector/MerakiConnector/logo.jpg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cisco Meraki solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities. **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs the data connector to ingest Cisco Meraki device reporting events.After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for CiscoMeraki. You can get CiscoMeraki custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the CiscoMeraki Kusto Function alias. "
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@ -95,7 +95,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
@ -107,6 +107,20 @@
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "CiscoMerakiWorkbook",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Gain insights into the Events from Cisco Meraki Solution and analyzing all the different types of Security Events. This workbook also helps in identifying the Events from affected devices, IPs and the nodes where malware was successfully detected.\nIP data received in Events is correlated with Threat Intelligence to identify if the reported IP address is known bad based on threat intelligence data."
}
}
]
}
]
},

24
Solutions/CiscoMeraki/Package/mainTemplate.json
Просмотреть файл

@ -135,7 +135,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoMerakiWorkbookWorkbook Workbook with template version 2.0.2",
"description": "CiscoMerakiWorkbookWorkbook Workbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -246,7 +246,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoMeraki data connector with template version 2.0.2",
"description": "CiscoMeraki data connector with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -323,7 +323,7 @@
},
"instructionSteps": [
{
"description": ">This data connector depends on a parser (based on a Kusto Function) to work as expected. You have 2 options to get this parser into workspace\n\n> 1. If you have installed this connector via Meraki solution in ContentHub then navigate to parser definition from your workspace (Logs --> Functions --> CiscoMeraki --> Load the function code) to add your Meraki device list in the query and save the function.\n\n> 2. If you have not installed the Meraki solution from ContentHub then [Follow the steps](https://aka.ms/sentinel-ciscomeraki-parser) to use the Kusto function alias, **CiscoMeraki**"
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@ -514,7 +514,7 @@
},
"instructionSteps": [
{
"description": ">This data connector depends on a parser (based on a Kusto Function) to work as expected. You have 2 options to get this parser into workspace\n\n> 1. If you have installed this connector via Meraki solution in ContentHub then navigate to parser definition from your workspace (Logs --> Functions --> CiscoMeraki --> Load the function code) to add your Meraki device list in the query and save the function.\n\n> 2. If you have not installed the Meraki solution from ContentHub then [Follow the steps](https://aka.ms/sentinel-ciscomeraki-parser) to use the Kusto function alias, **CiscoMeraki**"
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@ -606,7 +606,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoMeraki Data Parser with template version 2.0.2",
"description": "CiscoMeraki Data Parser with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -737,7 +737,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
],
"properties": {
"description": "MerakiConnector Playbook with template version 2.0.2",
"description": "MerakiConnector Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -3225,7 +3225,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
],
"properties": {
"description": "Block-Device-Client-Meraki Playbook with template version 2.0.2",
"description": "Block-Device-Client-Meraki Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -4299,7 +4299,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]"
],
"properties": {
"description": "Block-IP-Address-Meraki Playbook with template version 2.0.2",
"description": "Block-IP-Address-Meraki Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@ -5374,7 +5374,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]"
],
"properties": {
"description": "Block-URL-Meraki Playbook with template version 2.0.2",
"description": "Block-URL-Meraki Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@ -6210,7 +6210,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]"
],
"properties": {
"description": "IP-Enrichment-Meraki Playbook with template version 2.0.2",
"description": "IP-Enrichment-Meraki Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@ -7064,7 +7064,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName6'))]"
],
"properties": {
"description": "URL-Enrichment-Meraki Playbook with template version 2.0.2",
"description": "URL-Enrichment-Meraki Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@ -7703,7 +7703,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.2",
"version": "2.0.3",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

8
Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt
Просмотреть файл

@ -7,14 +7,6 @@
// DESCRIPTION:
// This parser takes raw Cisco Meraki (MX/MR/MS) logs from a Syslog stream or from custom table (meraki_CL) and parses the logs into a normalized schema.
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. In the query window, on the second line of the query, enter the hostname(s) of your Cisco Meraki device(s) and any other unique identifiers for the logstream.
// For example: | where Computer in ("server1", "server2")
// 3. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
// It is recommended to name the Function Alias, as CiscoMeraki
// 4. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//

2
Solutions/CiscoMeraki/data/Solution_CiscoMeraki.json
Просмотреть файл

@ -22,7 +22,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoMeraki",
"Version": "2.0.2",
"Version": "2.0.3",
"TemplateSpec": true,
"Is1Pconnector": false
}