108 строки
4.2 KiB
JSON
108 строки
4.2 KiB
JSON
{
|
|
"id": "NXLogDnsLogs",
|
|
"title": "NXLog DNS Logs",
|
|
"publisher": "NXLog",
|
|
"descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Azure Sentinel in real-time.",
|
|
"graphQueries": [
|
|
{
|
|
"metricName": "Total data received",
|
|
"legend": "DNS_Logs_CL",
|
|
"baseQuery": "DNS_Logs_CL"
|
|
}
|
|
],
|
|
"sampleQueries": [
|
|
{
|
|
"description" : "EventID frequency",
|
|
"query": "DNS_Logs_CL\n| summarize EventCount = count() by EventID = EventID_d\n| order by EventID\n| render barchart"
|
|
},
|
|
{
|
|
"description" : "Event Type counts",
|
|
"query": "DNS_Logs_CL\n| where strlen(DNS_LogType_s) > 1\n| summarize EventCount = count() by EventType = DNS_LogType_s\n| order by EventType asc \n| render barchart"
|
|
}
|
|
],
|
|
"dataTypes": [
|
|
{
|
|
"name": "DNS_Logs_CL",
|
|
"lastDataReceivedQuery": "DNS_Logs_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
|
|
}
|
|
],
|
|
"connectivityCriterias": [
|
|
{
|
|
"type": "IsConnectedQuery",
|
|
"value": [
|
|
"DNS_Logs_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
|
|
]
|
|
}
|
|
],
|
|
"availability": {
|
|
"status": 1,
|
|
"isPreview": true
|
|
},
|
|
"permissions": {
|
|
"resourceProvider": [
|
|
{
|
|
"provider": "Microsoft.OperationalInsights/workspaces",
|
|
"permissionsDisplayText": "read and write permissions are required.",
|
|
"providerDisplayName": "Workspace",
|
|
"scope": "Workspace",
|
|
"requiredPermissions": {
|
|
"write": true,
|
|
"read": true,
|
|
"delete": true
|
|
}
|
|
},
|
|
{
|
|
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
|
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
|
"providerDisplayName": "Keys",
|
|
"scope": "Workspace",
|
|
"requiredPermissions": {
|
|
"action": true
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"instructionSteps": [
|
|
{
|
|
"title": "",
|
|
"description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
|
|
"instructions": [
|
|
{
|
|
"parameters": {
|
|
"fillWith": [
|
|
"WorkspaceId"
|
|
],
|
|
"label": "Workspace ID"
|
|
},
|
|
"type": "CopyableLabel"
|
|
},
|
|
{
|
|
"parameters": {
|
|
"fillWith": [
|
|
"PrimaryKey"
|
|
],
|
|
"label": "Primary Key"
|
|
},
|
|
"type": "CopyableLabel"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"metadata": {
|
|
"id": "4eb027bc-5a8e-4e7e-8dac-3aaba3e487b1",
|
|
"version": "1.0.0",
|
|
"kind": "dataConnector",
|
|
"source": {
|
|
"kind": "community"
|
|
},
|
|
"author": {
|
|
"name": "NXLog"
|
|
},
|
|
"support": {
|
|
"name": "NXLog",
|
|
"link": "https://nxlog.co/community-forum",
|
|
"tier": "developer"
|
|
}
|
|
}
|
|
}
|