![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
- "Data Connectors": [
- "Data Connectors/Connector_Tomcat_agent.json"
- ],
+ "Description": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
"Parsers": [
"Parsers/TomcatEvent.yaml"
],
@@ -41,7 +38,7 @@
"azuresentinel.azure-sentinel-solution-customlogsviaama"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Tomcat",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/Tomcat/Hunting Queries/Tomcat403RequestsFiles.yaml b/Solutions/Tomcat/Hunting Queries/Tomcat403RequestsFiles.yaml
index 03c578ead6c..81a9177a58b 100644
--- a/Solutions/Tomcat/Hunting Queries/Tomcat403RequestsFiles.yaml
+++ b/Solutions/Tomcat/Hunting Queries/Tomcat403RequestsFiles.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows request to forbidden files.'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatAbnormalRequestSize.yaml b/Solutions/Tomcat/Hunting Queries/TomcatAbnormalRequestSize.yaml
index 3ba0403b75f..08c21192b5d 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatAbnormalRequestSize.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatAbnormalRequestSize.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows abnormal request size.'
severity: Low
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatERRORs.yaml b/Solutions/Tomcat/Hunting Queries/TomcatERRORs.yaml
index 8b7ec7afd7f..69ac48dfdfc 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatERRORs.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatERRORs.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows errors events.'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatRareFilesRequested.yaml b/Solutions/Tomcat/Hunting Queries/TomcatRareFilesRequested.yaml
index 6ed4fe3a774..bb3bf878a43 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatRareFilesRequested.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatRareFilesRequested.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows rare files requested'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatRareURLsRequested.yaml b/Solutions/Tomcat/Hunting Queries/TomcatRareURLsRequested.yaml
index 7d4040391c5..46f45730c27 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatRareURLsRequested.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatRareURLsRequested.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows rare URLs requested.'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatTopFilesWithErrorRequests.yaml b/Solutions/Tomcat/Hunting Queries/TomcatTopFilesWithErrorRequests.yaml
index 19d9c6daa32..5bd6f98c41c 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatTopFilesWithErrorRequests.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatTopFilesWithErrorRequests.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows list of files with error requests.'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatTopURLsClientErrors.yaml b/Solutions/Tomcat/Hunting Queries/TomcatTopURLsClientErrors.yaml
index adb9a3b253f..52753f16d31 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatTopURLsClientErrors.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatTopURLsClientErrors.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows URLs list with client errors.'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatTopURLsServerErrors.yaml b/Solutions/Tomcat/Hunting Queries/TomcatTopURLsServerErrors.yaml
index 22f157b872b..56108118221 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatTopURLsServerErrors.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatTopURLsServerErrors.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows URLs list with server errors.'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAs.yaml b/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAs.yaml
index 014f5056c52..d7d9c3d5663 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAs.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAs.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches uncommon user agent strings.'
severity: Low
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithClientErrors.yaml b/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithClientErrors.yaml
index 4dcc74ec4eb..8523f3d78fe 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithClientErrors.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithClientErrors.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows rare user agent strings with client errors'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithServerErrors.yaml b/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithServerErrors.yaml
index e93ad9eedaa..7363bb3ceb8 100644
--- a/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithServerErrors.yaml
+++ b/Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithServerErrors.yaml
@@ -4,9 +4,6 @@ description: |
'Query shows rare user agent strings with server errors'
severity: Medium
requiredDataConnectors:
- - connectorId: ApacheTomcat
- dataTypes:
- - TomcatEvent
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
diff --git a/Solutions/Tomcat/Package/3.0.1.zip b/Solutions/Tomcat/Package/3.0.1.zip
new file mode 100644
index 00000000000..4f3d246b55b
Binary files /dev/null and b/Solutions/Tomcat/Package/3.0.1.zip differ
diff --git a/Solutions/Tomcat/Package/createUiDefinition.json b/Solutions/Tomcat/Package/createUiDefinition.json
index 2a00590aeb4..0f14f7be32a 100644
--- a/Solutions/Tomcat/Package/createUiDefinition.json
+++ b/Solutions/Tomcat/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Tomcat/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Tomcat/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Tomcat. You can get Tomcat custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -323,7 +292,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows request to forbidden files. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows request to forbidden files. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -337,7 +306,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows abnormal request size. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows abnormal request size. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows errors events. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows errors events. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows rare files requested This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows rare files requested This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows rare URLs requested. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows rare URLs requested. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows list of files with error requests. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows list of files with error requests. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows URLs list with client errors. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows URLs list with client errors. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows URLs list with server errors. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows URLs list with server errors. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches uncommon user agent strings. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query searches uncommon user agent strings. This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows rare user agent strings with client errors This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
@@ -463,7 +432,7 @@
"name": "huntingquery11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows rare user agent strings with server errors This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
+ "text": "Query shows rare user agent strings with server errors This hunting query depends on CustomLogsAma data connector (Tomcat_CL Parser or Table)"
}
}
]
diff --git a/Solutions/Tomcat/Package/mainTemplate.json b/Solutions/Tomcat/Package/mainTemplate.json
index dd713977d47..d83deae4cc8 100644
--- a/Solutions/Tomcat/Package/mainTemplate.json
+++ b/Solutions/Tomcat/Package/mainTemplate.json
@@ -41,21 +41,12 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Tomcat",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-apachetomcat",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "ApacheTomcat",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "ApacheTomcat",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
- "_parserName1": "[concat(parameters('workspace'),'/','ApacheTomcat Data Parser')]",
- "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApacheTomcat Data Parser')]",
+ "_parserName1": "[concat(parameters('workspace'),'/','TomcatEvent')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TomcatEvent')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('TomcatEvent-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "TomcatEvent-Parser"
@@ -68,74 +59,74 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.1",
+ "analyticRuleVersion1": "1.0.2",
"_analyticRulecontentId1": "91f59cea-486f-11ec-81d3-0242ac130003",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '91f59cea-486f-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('91f59cea-486f-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','91f59cea-486f-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','91f59cea-486f-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.1",
+ "analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "5e77a818-5825-4ff6-a901-80891c4774d1",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5e77a818-5825-4ff6-a901-80891c4774d1')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5e77a818-5825-4ff6-a901-80891c4774d1')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5e77a818-5825-4ff6-a901-80891c4774d1','-', '1.0.1')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5e77a818-5825-4ff6-a901-80891c4774d1','-', '1.0.2')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
+ "analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "4fa66058-4870-11ec-81d3-0242ac130003",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4fa66058-4870-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4fa66058-4870-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4fa66058-4870-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4fa66058-4870-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.1",
+ "analyticRuleVersion4": "1.0.2",
"_analyticRulecontentId4": "7c9a1026-4872-11ec-81d3-0242ac130003",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7c9a1026-4872-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7c9a1026-4872-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7c9a1026-4872-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7c9a1026-4872-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.1",
+ "analyticRuleVersion5": "1.0.2",
"_analyticRulecontentId5": "de9df79c-4872-11ec-81d3-0242ac130003",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'de9df79c-4872-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('de9df79c-4872-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','de9df79c-4872-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','de9df79c-4872-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.1",
+ "analyticRuleVersion6": "1.0.2",
"_analyticRulecontentId6": "103d5ada-4874-11ec-81d3-0242ac130003",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '103d5ada-4874-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('103d5ada-4874-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','103d5ada-4874-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','103d5ada-4874-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.1",
+ "analyticRuleVersion7": "1.0.2",
"_analyticRulecontentId7": "a45dd6ea-4874-11ec-81d3-0242ac130003",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a45dd6ea-4874-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a45dd6ea-4874-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a45dd6ea-4874-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a45dd6ea-4874-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.1",
+ "analyticRuleVersion8": "1.0.2",
"_analyticRulecontentId8": "0c851bd4-4875-11ec-81d3-0242ac130003",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0c851bd4-4875-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0c851bd4-4875-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0c851bd4-4875-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0c851bd4-4875-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.1",
+ "analyticRuleVersion9": "1.0.2",
"_analyticRulecontentId9": "ce84741e-4875-11ec-81d3-0242ac130003",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ce84741e-4875-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ce84741e-4875-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce84741e-4875-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce84741e-4875-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.1",
+ "analyticRuleVersion10": "1.0.2",
"_analyticRulecontentId10": "875da588-4875-11ec-81d3-0242ac130003",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '875da588-4875-11ec-81d3-0242ac130003')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('875da588-4875-11ec-81d3-0242ac130003')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','875da588-4875-11ec-81d3-0242ac130003','-', '1.0.1')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','875da588-4875-11ec-81d3-0242ac130003','-', '1.0.2')))]"
},
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.0",
@@ -195,429 +186,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Tomcat data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Apache Tomcat",
- "publisher": "Apache",
- "descriptionMarkdown": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Tomcat_CL",
- "baseQuery": "TomcatEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Clients (Source IP)",
- "query": "TomcatEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "Tomcat_CL",
- "lastDataReceivedQuery": "TomcatEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "TomcatEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias TomcatEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Parsers/TomcatEvent.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using Apache Tomcat version 10.0.4"
- },
- {
- "description": "Install the agent on the Apache Tomcat Server where the logs are generated.\n\n> Logs from Apache Tomcat Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Configure the custom log directory to be collected",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenCustomLogsSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Data**, select **Custom Logs** and click **Add+**\n3. Click **Browse** to upload a sample of a Tomcat log file (e.g. access.log or error.log). Then, click **Next >**\n4. Select **New line** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to Tomcat logs based on your configuration. Example: \n - **Linux** Directory: '/var/log/tomcat/*.log' \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **Tomcat_CL** as the custom log Name and click **Done**"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Tomcat",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Apache Tomcat",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Tomcat",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Apache Tomcat",
- "publisher": "Apache",
- "descriptionMarkdown": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Tomcat_CL",
- "baseQuery": "TomcatEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "Tomcat_CL",
- "lastDataReceivedQuery": "TomcatEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "TomcatEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Clients (Source IP)",
- "query": "TomcatEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias TomcatEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Parsers/TomcatEvent.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using Apache Tomcat version 10.0.4"
- },
- {
- "description": "Install the agent on the Apache Tomcat Server where the logs are generated.\n\n> Logs from Apache Tomcat Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Configure the custom log directory to be collected",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenCustomLogsSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Data**, select **Custom Logs** and click **Add+**\n3. Click **Browse** to upload a sample of a Tomcat log file (e.g. access.log or error.log). Then, click **Next >**\n4. Select **New line** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to Tomcat logs based on your configuration. Example: \n - **Linux** Directory: '/var/log/tomcat/*.log' \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **Tomcat_CL** as the custom log Name and click **Done**"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -627,7 +195,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatEvent Data Parser with template version 3.0.0",
+ "description": "TomcatEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -641,7 +209,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "ApacheTomcat Data Parser",
+ "displayName": "Parser for TomcatEvent",
"category": "Microsoft Sentinel Parser",
"functionAlias": "TomcatEvent",
"query": "let tomcat_accesslog_events =() {\nTomcat_CL\n| where RawData matches regex @'(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}).*\\[.*\\]\\s\\\"(GET|POST).*?\\\"\\s([1-5][0-9]{2})\\s(\\d+|-)(?:\\s\\\"(.*?)\\\")?(?:\\s\\\"(.*?)\\\")?.*'\n| extend EventProduct = 'Tomcat'\n| extend EventType = 'AccessLog'\n| extend EventData = split(RawData, '\"')\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\n| extend SubEventData1 = split(EventData[1], ' ')\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\n| extend SrcIpAddr = tostring(SubEventData0[0])\n| extend ClientIdentity = SubEventData0[1]\n| extend SrcUserName = SubEventData0[2]\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)[-+]\\d+\\]', 1, RawData))))\n| extend HttpRequestMethod = SubEventData1[0]\n| extend UrlOriginal = SubEventData1[1]\n| extend HttpVersion = SubEventData1[2]\n| extend HttpStatusCode = SubEventData2[0]\n| extend HttpResponseBodyBytes = SubEventData2[1]\n| extend HttpReferrerOriginal = EventData[3]\n| extend HttpUserAgentOriginal = EventData[5]\n};\nlet tomcat_catalina_event1=() {\nTomcat_CL\n//Mar 16, 2021 1:42:06 PM org\n| where RawData matches regex @'\\A\\w+\\s\\d+,\\s\\d{4}\\s\\d+:\\d+:\\d+\\s(PM|AM)\\sorg.*'\n| extend EventProduct = 'Tomcat'\n| extend EventType = 'CatalinaLog'\n| extend EventStartTime = todatetime(replace(@',', '', extract(@'\\A(\\w+\\s\\d+,\\s\\d{4}\\s\\d+:\\d+:\\d+\\s(PM|AM))', 0, RawData)))\n| extend ClassName = extract(@'(PM|AM)\\s(.*?)\\s', 2, RawData)\n| extend DvcAction = extract(@'(PM|AM)\\sorg.*?\\s(\\S+)', 2, RawData)\n};\nlet tomcat_catalina_event2=() {\nTomcat_CL\n| where RawData matches regex @'\\A(INFO|WARN|ERROR|DEBUG):\\s'\n| extend EventProduct = 'Tomcat'\n| extend EventType = 'CatalinaLog'\n| extend EventSeverity = extract(@'(INFO|ERROR|WARN|DEBUG)', 1, RawData)\n| extend EventMessage = extract(@'(INFO|ERROR|WARN|DEBUG):\\s(.*)', 2, RawData)\n};\nunion isfuzzy=true tomcat_accesslog_events, tomcat_catalina_event1, tomcat_catalina_event2\n| project TimeGenerated\n , EventProduct\n , EventType\n , EventSeverity\n , EventStartTime\n , SrcIpAddr\n , ClientIdentity\n , SrcUserName\n , HttpRequestMethod\n , UrlOriginal\n , HttpVersion\n , HttpStatusCode\n , HttpResponseBodyBytes\n , HttpReferrerOriginal\n , HttpUserAgentOriginal\n , ClassName\n , DvcAction\n , EventMessage\n",
@@ -663,7 +231,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApacheTomcat Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TomcatEvent')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -693,7 +261,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
- "displayName": "ApacheTomcat Data Parser",
+ "displayName": "Parser for TomcatEvent",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
@@ -706,7 +274,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "ApacheTomcat Data Parser",
+ "displayName": "Parser for TomcatEvent",
"category": "Microsoft Sentinel Parser",
"functionAlias": "TomcatEvent",
"query": "let tomcat_accesslog_events =() {\nTomcat_CL\n| where RawData matches regex @'(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}).*\\[.*\\]\\s\\\"(GET|POST).*?\\\"\\s([1-5][0-9]{2})\\s(\\d+|-)(?:\\s\\\"(.*?)\\\")?(?:\\s\\\"(.*?)\\\")?.*'\n| extend EventProduct = 'Tomcat'\n| extend EventType = 'AccessLog'\n| extend EventData = split(RawData, '\"')\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\n| extend SubEventData1 = split(EventData[1], ' ')\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\n| extend SrcIpAddr = tostring(SubEventData0[0])\n| extend ClientIdentity = SubEventData0[1]\n| extend SrcUserName = SubEventData0[2]\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)[-+]\\d+\\]', 1, RawData))))\n| extend HttpRequestMethod = SubEventData1[0]\n| extend UrlOriginal = SubEventData1[1]\n| extend HttpVersion = SubEventData1[2]\n| extend HttpStatusCode = SubEventData2[0]\n| extend HttpResponseBodyBytes = SubEventData2[1]\n| extend HttpReferrerOriginal = EventData[3]\n| extend HttpUserAgentOriginal = EventData[5]\n};\nlet tomcat_catalina_event1=() {\nTomcat_CL\n//Mar 16, 2021 1:42:06 PM org\n| where RawData matches regex @'\\A\\w+\\s\\d+,\\s\\d{4}\\s\\d+:\\d+:\\d+\\s(PM|AM)\\sorg.*'\n| extend EventProduct = 'Tomcat'\n| extend EventType = 'CatalinaLog'\n| extend EventStartTime = todatetime(replace(@',', '', extract(@'\\A(\\w+\\s\\d+,\\s\\d{4}\\s\\d+:\\d+:\\d+\\s(PM|AM))', 0, RawData)))\n| extend ClassName = extract(@'(PM|AM)\\s(.*?)\\s', 2, RawData)\n| extend DvcAction = extract(@'(PM|AM)\\sorg.*?\\s(\\S+)', 2, RawData)\n};\nlet tomcat_catalina_event2=() {\nTomcat_CL\n| where RawData matches regex @'\\A(INFO|WARN|ERROR|DEBUG):\\s'\n| extend EventProduct = 'Tomcat'\n| extend EventType = 'CatalinaLog'\n| extend EventSeverity = extract(@'(INFO|ERROR|WARN|DEBUG)', 1, RawData)\n| extend EventMessage = extract(@'(INFO|ERROR|WARN|DEBUG):\\s(.*)', 2, RawData)\n};\nunion isfuzzy=true tomcat_accesslog_events, tomcat_catalina_event1, tomcat_catalina_event2\n| project TimeGenerated\n , EventProduct\n , EventType\n , EventSeverity\n , EventStartTime\n , SrcIpAddr\n , ClientIdentity\n , SrcUserName\n , HttpRequestMethod\n , UrlOriginal\n , HttpVersion\n , HttpStatusCode\n , HttpResponseBodyBytes\n , HttpReferrerOriginal\n , HttpUserAgentOriginal\n , ClassName\n , DvcAction\n , EventMessage\n",
@@ -729,7 +297,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApacheTomcat Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TomcatEvent')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -759,7 +327,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Tomcat Workbook with template version 3.0.0",
+ "description": "Tomcat Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -847,7 +415,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatCommandsinRequest_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatCommandsinRequest_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -875,16 +443,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -896,13 +458,13 @@
],
"entityMappings": [
{
- "entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "UrlCustomEntity"
+ "columnName": "UrlCustomEntity",
+ "identifier": "Url"
}
- ]
+ ],
+ "entityType": "URL"
}
]
}
@@ -958,7 +520,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatKnownMaliciousUserAgent_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatKnownMaliciousUserAgent_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -986,16 +548,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1007,13 +563,13 @@
],
"entityMappings": [
{
- "entityType": "Malware",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "MalwareCustomEntity"
+ "columnName": "MalwareCustomEntity",
+ "identifier": "Name"
}
- ]
+ ],
+ "entityType": "Malware"
}
]
}
@@ -1069,7 +625,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatMultipleClientErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatMultipleClientErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1097,16 +653,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1118,13 +668,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1180,7 +730,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatMultipleEmptyRequestsFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatMultipleEmptyRequestsFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1208,16 +758,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1231,13 +775,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1293,7 +837,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatMultipleServerErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatMultipleServerErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1321,16 +865,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1344,13 +882,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1406,7 +944,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatPutAndGetFileFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatPutAndGetFileFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1434,16 +972,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1455,22 +987,22 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "UrlCustomEntity"
+ "columnName": "UrlCustomEntity",
+ "identifier": "Url"
}
- ]
+ ],
+ "entityType": "URL"
}
]
}
@@ -1526,7 +1058,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatRequestFromLocalhostIP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatRequestFromLocalhostIP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1554,16 +1086,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1575,22 +1101,22 @@
],
"entityMappings": [
{
- "entityType": "File",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "FileCustomEntity"
+ "columnName": "FileCustomEntity",
+ "identifier": "Name"
}
- ]
+ ],
+ "entityType": "File"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1646,7 +1172,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatRequestSensitiveFiles_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatRequestSensitiveFiles_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1674,16 +1200,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1694,22 +1214,22 @@
],
"entityMappings": [
{
- "entityType": "File",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "FileCustomEntity"
+ "columnName": "FileCustomEntity",
+ "identifier": "Name"
}
- ]
+ ],
+ "entityType": "File"
},
{
- "entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "UrlCustomEntity"
+ "columnName": "UrlCustomEntity",
+ "identifier": "Url"
}
- ]
+ ],
+ "entityType": "URL"
}
]
}
@@ -1765,7 +1285,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatSQLiPattern_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatSQLiPattern_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1793,16 +1313,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1813,13 +1327,13 @@
],
"entityMappings": [
{
- "entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "UrlCustomEntity"
+ "columnName": "UrlCustomEntity",
+ "identifier": "Url"
}
- ]
+ ],
+ "entityType": "URL"
}
]
}
@@ -1875,7 +1389,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatServerErrorsAfterMultipleRequestsFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TomcatServerErrorsAfterMultipleRequestsFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -1903,16 +1417,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "ApacheTomcat",
- "dataTypes": [
- "TomcatEvent"
- ]
- },
- {
- "connectorId": "CustomLogsAma",
"datatypes": [
"Tomcat_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -1926,13 +1434,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1988,7 +1496,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Tomcat403RequestsFiles_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "Tomcat403RequestsFiles_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2073,7 +1581,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatAbnormalRequestSize_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatAbnormalRequestSize_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2158,7 +1666,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatERRORs_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatERRORs_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2243,7 +1751,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatRareFilesRequested_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatRareFilesRequested_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -2328,7 +1836,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatRareURLsRequested_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatRareURLsRequested_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -2413,7 +1921,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatTopFilesWithErrorRequests_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatTopFilesWithErrorRequests_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -2498,7 +2006,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatTopURLsClientErrors_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatTopURLsClientErrors_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -2583,7 +2091,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatTopURLsServerErrors_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatTopURLsServerErrors_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -2668,7 +2176,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatUncommonUAs_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatUncommonUAs_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -2753,7 +2261,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatUncommonUAsWithClientErrors_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatUncommonUAsWithClientErrors_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -2838,7 +2346,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TomcatUncommonUAsWithServerErrors_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TomcatUncommonUAsWithServerErrors_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@@ -2919,12 +2427,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Tomcat",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Apache Tomcat solution provides the capability to ingest Apache Tomcat events into Microsoft Sentinel. Refer to Apache Tomcat documentation for more information.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 11
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Apache Tomcat solution provides the capability to ingest Apache Tomcat events into Microsoft Sentinel. Refer to Apache Tomcat documentation for more information.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 11
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2948,11 +2456,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Tomcat/ReleaseNotes.md b/Solutions/Tomcat/ReleaseNotes.md index 8a3ac773157..71e494bf583 100644 --- a/Solutions/Tomcat/ReleaseNotes.md +++ b/Solutions/Tomcat/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------------------------------| +| 3.0.1 | 09-12-2024 | Removed Deprecated **Data connector** | | 3.0.0 | 13-08-2024 | Deprecating data connectors | \ No newline at end of file