Azure-Sentinel/DataConnectors/SymantecProxySG/Connector_Syslog_SymantecProxySG.json

{ 
    "id": "SymantecProxySG",
    "title": "Symantec ProxySG", 
    "publisher": "Symantec", 
    "descriptionMarkdown": "The [Symantec ProxySG](https://www.broadcom.com/products/cyber-security/network/gateway/proxy-sg-and-advanced-secure-gateway) allows you to easily connect your Symantec ProxySG logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Symantec ProxySG with Azure Sentinel provides more visibility into your organization's network proxy traffic and will enhance security monitoring capabilities.", 
    "additionalRequirementBanner":"These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected. Follow the steps to use this Kusto functions alias **SymantecProxySG** in queries and workbooks. [Follow these steps to get this Kusto functions](https://aka.ms/sentinelgithubparserssymantecproxysg)",
    "graphQueries": [ 
     { 
         "metricName": "Total data received", 
         "legend": "Symantec", 
         "baseQuery": "SymantecProxySG" 
     } 
    ], 
    "sampleQueries": [ 
        { 
        "description" : "Top 10 Denied Users", 
        "query": "SymantecProxySG \n | where sc_filter_result == 'DENIED' \n | summarize count() by cs_userdn \n | top 10 by count_"     
        },
        {
        "description" : "Top 10 Denied Client IPs",
        "query": "SymantecProxySG \n | where sc_filter_result == 'DENIED' \n | summarize count() by c_ip \n | top 10 by count_" 
        }
    ], 
    "dataTypes": [ 
    { 
        "name": "Syslog (SymantecProxySG)", 
        "lastDataReceivedQuery": "SymantecProxySG \n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)" 
    } 
], 
        "connectivityCriterias": [ 
        { 
            "type": "IsConnectedQuery", 
            "value": [ 
            "SymantecProxySG \n      | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)" 
        ] 
        } 
    ], 
    "availability": { 
    "status": 1,
     "isPreview": true
    }, 
    "permissions": { 
    "resourceProvider": [ 
            { 
                "provider": "Microsoft.OperationalInsights/workspaces", 
                "permissionsDisplayText": "write permission is required.", 
                "providerDisplayName": "Workspace", 
                "scope": "Workspace", 
                "requiredPermissions": { 
                "write": true, 
                "delete": true 
            } 
        } 
    ],
    "customs": [
        {
            "name": "Symantec ProxySG",
            "description": "must be configured to export logs via Syslog"
        }
    ]
}, 
    "instructionSteps": [ 
        { 
            "title": "", 
            "description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinelgithubparserssymantecproxysg) to create the Kusto functions alias, **SymantecProxySG**",
            "instructions": [ 
            ]    
        }, 
        { 
            "title": "1. Install and onboard the agent for Linux", 
            "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n>  Syslog logs are collected only from **Linux** agents.", 
            "instructions": [ 
                { 
                "parameters": { 
                "title": "Choose where to install the agent:", 
    "instructionSteps": [ 
            { 
            "title": "Install agent on Azure Linux Virtual Machine", 
            "description": "Select the machine to install the agent on and then click **Connect**.", 
            "instructions": [ 
                { 
                "parameters": { 
                "linkType": "InstallAgentOnLinuxVirtualMachine" 
                }, 
                "type": "InstallAgent" 
                } 
            ]    
        }, 
            { 
            "title": "Install agent on a non-Azure Linux Machine", 
            "description": "Download the agent on the relevant machine and follow the instructions.", 
            "instructions": [ 
                { 
                "parameters": { 
                "linkType": "InstallAgentOnLinuxNonAzure" 
                }, 
                "type": "InstallAgent" 
                } 
            ] 
        } 
    ] 
        }, 
            "type": "InstructionStepsGroup" 
            } 
        ] 
            }, 
    { 
            "title": "2. Configure the logs to be collected", 
            "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3.  Click **Save**.",
            "instructions": [
                {
                    "parameters": { 
                        "linkType": "OpenSyslogSettings"
                    },
                    "type": "InstallAgent"
                }
            ]
        },
    {
        "title": "3. Configure and connect the Symantec ProxySG",
        "description":"[Follow these instructions](https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html) to enable syslog streaming of **Access** Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
    }
]
}