Azure-Sentinel/Sample Data
PrasadBoke 6bb4c4faf7 Merge branch 'master' into pr/10450 2024-05-21 18:10:06 +05:30
..
ASIM Moved Network and Web Session sample logs. 2024-04-02 08:50:40 -07:00
CEF initial commit 2024-04-15 11:17:24 +03:00
Corelight Put sample data into lists 2023-04-27 06:54:53 -06:00
Custom modified table schema for flow events, modified images of workbooks, kqlvalidation tests for flow events 2024-05-06 13:33:40 -07:00
Event
Feeds Added removed filed 2024-04-11 15:41:27 +05:30
Fortinet FortiNDR Cloud update detection sample data 2024-05-07 15:50:52 -04:00
Media Added media 2022-06-20 15:53:02 +05:30
PublicFeeds/MITREATT&CK Fix the broken links 2024-03-18 15:24:38 +05:30
Sample Data/Custom
SecurityEvent fix-registryevent-microsoftwindows-events 2022-11-26 20:11:51 +01:00
Syslog Update and rename Tomcat.txt to Tomcat.csv 2023-08-03 08:35:27 +05:30
ThreatIntelligence add sample 2023-09-11 13:59:00 -04:00
VMwareSASE_SDWAN Added Solution: VMware SASE and SD-WAN 2023-11-26 12:27:22 +01:00
AADUSerInfo.csv
AFD-WAF_SampleLogs_data.csv Add files via upload 2023-08-29 06:10:51 +05:30
AIA-Darktrace.csv cleaning up test data 2022-11-25 16:33:27 -08:00
AIVectraDetect.csv
AppGW-WAF_SampleLogs_data.csv Add files via upload 2023-08-29 06:10:51 +05:30
AristaAwakeSampleData.csv
ArmisActivities.csv Added Armis Solution Package for certification. 2022-09-14 11:57:57 +05:30
ArmisAlerts.csv Added Armis Solution Package for certification. 2022-09-14 11:57:57 +05:30
ArmisDevice.csv Added Armis Solution Package for certification. 2022-09-14 11:57:57 +05:30
AsimAuthenticationCynerioEvents_schema.csv move some files from and to solution folder 2023-03-30 16:15:37 +03:00
AsimNetworkSessionCynerioEvents_schema.csv move some files from and to solution folder 2023-03-30 16:15:37 +03:00
Authomize_v2_CL.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
AzurePurview_SampleData.csv
CiscoMeraki-RestAPI.json Adding new ASim Network Parser for Cisco Meraki (#5127) 2022-05-26 14:02:27 +05:30
CitrixAnalytics_indicatorEventDetails_CL.json
CitrixAnalytics_indicatorSummary_CL.json
CitrixAnalytics_riskScoreChange_CL.json
CitrixAnalytics_userProfile_CL.json
Citrix_WAF_Sample_DAA_CEF.csv
Cynerio_Authentication_query_data.csv add parsers result sample data 2023-04-18 10:17:17 +03:00
Cynerio_Cynerio_Authentication_IngestedLogs.csv move some files from and to solution folder 2023-03-30 16:15:37 +03:00
Cynerio_Cynerio_NetworkSession_IngestedLogs.csv move some files from and to solution folder 2023-03-30 16:15:37 +03:00
Cynerio_IngestedLogs.csv move some files from and to solution folder 2023-03-30 16:15:37 +03:00
Cynerio_NetworkSession_query_data.csv add parsers result sample data 2023-04-18 10:17:17 +03:00
Cynerio_RawLogs.json move some files from and to solution folder 2023-03-30 16:15:37 +03:00
Cynerio_Schema.csv move some files from and to solution folder 2023-03-30 16:15:37 +03:00
DynatraceAttacks_CL.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAttacks_IngestedLogs.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAttacks_RawLogs.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAttacks_Schema.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAuditLogs_CL.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAuditLogs_IngestedLogs.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAuditLogs_RawLogs.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceAuditLogs_Schema.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceProblems_CL.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceProblems_IngestedLogs.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceProblems_RawLogs.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceProblems_Schema.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceSecurityProblems_CL.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceSecurityProblems_IngestedLogs.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceSecurityProblems_RawLogs.json Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
DynatraceSecurityProblems_Schema.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
Egress Defend_RawLogs.json replaced more with sanitized@sanitized.com 2023-08-08 10:48:17 +01:00
Egress Defend_Schema.csv Added some Sample Data 2023-08-03 09:05:52 +01:00
EgressDefendSampleData.csv added more sample data while altering another, and moved the workbooksmetadata 2023-08-07 10:46:38 +01:00
ForgeRock_CEF.csv
JamfProtectExampleData.csv Adding new Sample Data 2023-07-18 21:48:30 +02:00
MailGuard365_Threats_CL.csv Added Sample Data 2023-06-09 16:08:36 +10:00
Microsoft.IoT-Dump-pwd-infected.zip
Microsoft_Lolbas_Execution_Binaries.csv
Perimeter81_ActivityLogs_sample.csv
README.md Updated links 2022-06-21 14:43:38 +05:30
RidgeSecurity_IngestedLogs.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
RidgeSecurity_RawLogs.txt Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
RidgeSecurity_Schema.csv Merged master into TrendMicroVisionResgistry 2023-11-23 17:53:05 +05:30
SalemCyber.csv move sample data 2023-08-09 12:25:04 -04:00
Sevco_IngestedLogs.csv Resolve branch conflicts. 2023-07-28 19:38:11 +05:30
Talon_CL.csv added scheme 2023-02-27 14:20:11 +02:00
Talon_Insights_sample.csv updated sample to include less data 2023-02-27 21:51:09 +02:00
ValenceSecurity.csv Valence Security solution 2023-11-20 17:41:30 +02:00
VaronisAlerts_CL.csv add varonis logo, sample data, update references to downloading files 2024-01-05 16:06:45 +02:00
Vcenter_RawLogs.txt vCenter-Connector-Parser (#5280) 2022-06-28 14:03:58 +05:30
VectraStream_CL.json change email address in SMTP metadata 2022-10-20 08:16:30 -07:00
WatchGuardFirebox_syslog_data.csv
ctm360CCP-cbs.json fix:Validation error 2023-12-19 19:23:51 +05:30
githubscanaudit_CL.json Github webhook Data connector related changes (#5246) 2022-07-06 16:03:58 +05:30
intel471_titan_API_malware_indicators.json Intel 471 integration - updating sample data 2023-01-27 13:40:59 +01:00
prancer_CL.json Update prancer_CL.json 2024-03-19 16:38:50 +05:30

README.md

This folder has sample data for different data connectors that can be leveraged by all Microsoft Sentinel contributions

Sample Data Contribution Guidance

Sample data is extremely useful when troubleshooting issues, supporting and/or enhancing the Data Connectors with more Security-focused content (such as Analytics, Hunting Queries, Workbooks, etc.). So, for every data connector committed, authors must also upload the following three (3) files:

Expected file name Source Expected samples in the file Expected file extension
ProductName_RawLogs Product Should contain raw logs directly from the source of the logs .txt* (for CEF/Syslog based Data Connectors) or .json (for API – based Data Connectors)
ProductName_IngestedLogs Log Analytics Workspace Should contain logs exported after ingestion into a Log Analytics Workspace .csv* for all Data Connectors
ProductName_Schema Log Analytics Workspace Should have the schema exported from Log Analytics .csv* for all Data Connectors

Note: Replace "ProductName" with the actual name of the Product or data connector.

*Guidance on how to extract these files is below.

Important: Contributors must upload log samples of all types of events that are generated by the product and captured by the data connector. These events may include different event results and response actions that the product generates. Its also important to ensure that log details include fields and/or values that include information that can be normalized. Please refer to the Advanced Security Information Model (ASIM) documentation for more details. These fields include, but are not limited to usernames, IP addresses, IDs, hostnames, etc.

Logs format Guidance

Raw logs (directly from the source)

The format for the file that will contain raw data varies depending on the type of connector. The format for the file can be json (for API based Data Connector) / text (.txt) file (for Syslog/CEF based data Connectors) with the column names / property names adhering to the data type property names.

Below is a sample of the CEF formatted logs in their raw form:

 Mar 20 10:12:18 192.168.1.5 CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|geo_protection|Log|Unknown|act=Drop cs3Label=Protection Type cs3=geo_protection deviceDirection=0 rt=1584698718000 spt=58429 dpt=27016 ifname=eth0 logid=65536 loguid={0x5e74955f,0x0,0x501a8c0,0x19633097} origin=192.168.1.5 originsicname=cn=cp_mgmt,o=FlemingGW..y76ath sequencenum=2 version=5 dst=192.168.1.5 dst_country=Internal inspection_information=Geo-location inbound enforcement inspection_profile=Default Geo Policy product=VPN-1 & FireWall-1 proto=17 src=123.113.101.36 src_country=Other 
 Mar 20 10:12:19 192.168.1.5 CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|geo_protection|Log|Unknown|act=Drop cs3Label=Protection Type cs3=geo_protection deviceDirection=0 rt=1584698718000 spt=58429 dpt=27019 ifname=eth0 logid=65536 loguid={0x5e749560,0x0,0x501a8c0,0x19633097} origin=192.168.1.5 originsicname=cn=cp_mgmt,o=FlemingGW..y76ath sequencenum=3 version=5 dst=192.168.1.5 dst_country=Internal inspection_information=Geo-location inbound enforcement inspection_pro^C

Below is a sample of a syslog message in its raw form:

 <165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry.

Raw logs from API-based connectors can be extracted by leveraging an API usage platform (such as Postman) and using it to make an API call to the product and capturing a response. Below is a sample API response captured in its raw form:

[
  {
    "ts": "2020-03-20T16:00:10.144989Z",
    "eventType": "File Scanned",
    "clientName": "COMPUTER-M-V78J",
    "clientMac": "10:dd:b1:eb:88:f8",
    "clientIp": "192.168.128.2",
    "srcIp": "192.168.128.2",
    "destIp": "119.192.233.48",
    "protocol": "http",
    "uri": "http://www.favorite-icons.com/program/FavoriteIconsUninstall.exe",
    "canonicalName": "PUA.Win.Dropper.Kraddare::1201",
    "destinationPort": 80,
    "fileHash": "3ec1b9a95fe62aa25fc959643a0f227b76d253094681934daaf628d3574b3463",
    "fileType": "MS_EXE",
    "fileSizeBytes": 193688,
    "disposition": "Malicious",
    "action": "Blocked"
  },
  {
    "ts": "2022-03-08T01:18:30.072163Z",
    "eventType": "IDS Alert",
    "deviceMac": "ac:17:c8:21:1c:70",
    "clientMac": "",
    "srcIp": "45.137.23.246:42101",
    "destIp": "84.14.28.183:9034",
    "protocol": "udp/ip",
    "priority": "1",
    "classification": "9",
    "blocked": false,
    "message": "SERVER-OTHER RealTek UDPServer command injection attempt",
    "signature": "1:58853:1",
    "sigSource": "ids-vrt-balanced",
    "ruleId": "meraki:intrusion/snort/GID/1/SID/58853"
  }
]

Post-ingestion logs

The post-ingestion logs are exported from log analytics using the Export option in the query window. The format of the file will be csv as exported from Log Analytics JSON irrespective of the data connector type. These logs are important in helping in understanding how the information from raw logs has been mapped to fields.

Schema

The schema, similar to post-ingestion logs can be exported from log analytics using the Export option in the query window. The exported file is a csv. This is important to understand the schema of the table that the logs are ingested in.

Log Extraction Guidance

Extracting ingested logs from Log Analytics Workspace

Ingested logs can be extracted by running a KQL query in the Logs window in Microsoft Sentinel/Log Analytics Workspace. Typing a basic query to get all all logs ingested by a Data Connector will get you the logs along with the defined schema. After you run the query, click on Export and then click Export to CSV - all columns.

ExportToCSV

Extracting raw logs for CEF/Syslog based connectors

We have several ways to capture the original data that comes from syslog devices and that is getting ingested into syslog-ng or rsyslog sever. One of the way is to capture the traces on syslog-ng or rsyslog server over 514 port. You can use the following command to captre the traffic into pacp file

sudo tcpdump -s 0 -Ani any port 514 -vv -w /var/log/syslog.pcap

image

Once we have the pcap file, we can visualize the events using utility "tcpick" and export into readable format

tcpick -C -yP -r syslog.pcap > sampledata.log
nano sampledata.log

image

Extracting the schema

To extract the schema of the table in a csv file, run the following query in a log analytics query window:

TableName | getschema

Note: Replace "TableName" in the above query with the actual name of the table before executing it in Log Analytics. This will return the schema of the table which can then be exported to a csv file using the Export option as described above for post-ingested logs.

ExportSchemaToCSV

Sample data upload to GitHub

Once you've gathered all three files, submit them via a GitHub PR. All three files must reside inside a folder called "Sample Data" within the Solution folder. Example folder structure - "Azure-Sentinel/Solutions//Sample Data/".

Important: Please ensure all sample data has been scrubbed to remove all sensitive PII information that may exist in the logs. The intent is to understand the "what" and "how" from the logs not the "who".