diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json index ec32775e1c2..6950c94c9ca 100644 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json +++ b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json @@ -7,7 +7,7 @@ "prerequisites": [ "1. ServiceNow Instance URL, Username, and password.", "2. Access and authorization to enable API connectors", - "3. Teams Group ID and Alert Channel ID where the messages are to be posted in." + "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." ], "lastUpdateTime": "2021-06-29T10:00:00.000Z", "entities": [ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json index b80302a8b1a..47e998f4ffa 100644 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json +++ b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json @@ -7,7 +7,7 @@ "prerequisites": [ "1. ServiceNow Instance URL, Username, and password.", "2. Access and authorization to enable API connectors", - "3. Teams Group ID and Alert Channel ID where the messages are to be posted in." + "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." ], "lastUpdateTime": "2021-06-29T10:00:00.000Z", "entities": [ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json index 85c0e8ae6d4..74af70f33b4 100644 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json +++ b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json @@ -7,7 +7,7 @@ "prerequisites": [ "1. ServiceNow Instance URL, Username, and password.", "2. Access and authorization to enable API connectors", - "3. Teams Group ID and Alert Channel ID where the messages are to be posted in." + "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." ], "lastUpdateTime": "2021-06-29T10:00:00.000Z", "entities": [ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json index bbbd7d59211..41c740b85ad 100644 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json +++ b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json @@ -7,7 +7,7 @@ "prerequisites": [ "1. ServiceNow Instance URL, Username, and password.", "2. Access and authorization to enable API connectors", - "3. Teams Group ID and Alert Channel ID where the messages are to be posted in." + "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." ], "lastUpdateTime": "2021-06-29T10:00:00.000Z", "entities": [ diff --git a/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json b/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json index dcadfef0c9d..a54f9341379 100644 --- a/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json +++ b/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json @@ -10,7 +10,7 @@ "Parsers/JuniperSRX.txt" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Juniper SRX", - "Version": "2.0.3", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Juniper SRX/Package/3.0.0.zip b/Solutions/Juniper SRX/Package/3.0.0.zip new file mode 100644 index 00000000000..45d0464765e Binary files /dev/null and b/Solutions/Juniper SRX/Package/3.0.0.zip differ diff --git a/Solutions/Juniper SRX/Package/createUiDefinition.json b/Solutions/Juniper SRX/Package/createUiDefinition.json index 6b83c80a05e..e55d78ea28c 100644 --- a/Solutions/Juniper SRX/Package/createUiDefinition.json +++ b/Solutions/Juniper SRX/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Juniper SRX](https://www.juniper.net/us/en/products/security/srx-series.html) solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Juniper%20SRX/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [Juniper SRX](https://www.juniper.net/us/en/products/security/srx-series.html) solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -89,4 +89,4 @@ "workspace": "[basics('workspace')]" } } -} +} \ No newline at end of file diff --git a/Solutions/Juniper SRX/Package/mainTemplate.json b/Solutions/Juniper SRX/Package/mainTemplate.json index e00c66ea97d..8be1856f1ea 100644 --- a/Solutions/Juniper SRX/Package/mainTemplate.json +++ b/Solutions/Juniper SRX/Package/mainTemplate.json @@ -30,57 +30,43 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-junipersrx", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Juniper SRX", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-junipersrx", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "JuniperSRX", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "JuniperSRX", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", - "parserVersion1": "1.0.0", - "parserContentId1": "JuniperSRX-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "parserName1": "JuniperSRX", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]" + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "JuniperSRX-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Juniper SRX data connector with template", - "displayName": "Juniper SRX template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Juniper SRX data connector with template version 2.0.3", + "description": "Juniper SRX data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -219,7 +205,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -244,12 +230,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Juniper SRX", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -408,33 +405,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "JuniperSRX Data Parser with template", - "displayName": "JuniperSRX Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JuniperSRX Data Parser with template version 2.0.3", + "description": "JuniperSRX Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -443,7 +422,7 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -451,7 +430,8 @@ "displayName": "JuniperSRX", "category": "Samples", "functionAlias": "JuniperSRX", - "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SrcNatRuleName = tostring(Parser2[7]),\r\n DstNatRuleName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", + "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend SrcNatRuleName = tostring(Parser2[2]),\r\n DstNatRuleName = tostring(Parser2[4]),\r\n ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SourceZoneName = tostring(Parser2[7]),\r\n DestinationZoneName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", + "functionParameters": "", "version": 1, "tags": [ { @@ -491,7 +471,18 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "JuniperSRX", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { @@ -504,8 +495,15 @@ "displayName": "JuniperSRX", "category": "Samples", "functionAlias": "JuniperSRX", - "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SrcNatRuleName = tostring(Parser2[7]),\r\n DstNatRuleName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", - "version": 1 + "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend SrcNatRuleName = tostring(Parser2[2]),\r\n DstNatRuleName = tostring(Parser2[4]),\r\n ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SourceZoneName = tostring(Parser2[7]),\r\n DestinationZoneName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "JuniperSRX" + } + ] } }, { @@ -539,13 +537,20 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.3", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Juniper SRX", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Juniper SRX solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (Syslog)
  2. \n
\n

Data Connectors: 1, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { diff --git a/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml b/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml index e5726f7e6e0..e7a58eec6a9 100644 --- a/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml +++ b/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml @@ -86,10 +86,12 @@ FunctionQuery: | Substring = tostring(Parser[12]) | extend Parser2 = extract_all(@"(0x0/s)?([\S]+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring) | mvexpand Parser2 - | extend ProtocolId = toint(Parser2[5]), + | extend SrcNatRuleName = tostring(Parser2[2]), + DstNatRuleName = tostring(Parser2[4]), + ProtocolId = toint(Parser2[5]), PolicyName = tostring(Parser2[6]), - SrcNatRuleName = tostring(Parser2[7]), - DstNatRuleName = tostring(Parser2[8]), + SourceZoneName = tostring(Parser2[7]), + DestinationZoneName = tostring(Parser2[8]), SessionId = toint(Parser2[9]) | project-away Parser, Parser2, Substring; let AllOtherEvents = LogHeader diff --git a/Solutions/Juniper SRX/ReleaseNotes.md b/Solutions/Juniper SRX/ReleaseNotes.md new file mode 100644 index 00000000000..5fcb57a2206 --- /dev/null +++ b/Solutions/Juniper SRX/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------| +| 3.0.0 | 29-08-2023 | Modified the **Parser** to process Zone Details | + diff --git a/Solutions/SAP/template/systemconfig.json b/Solutions/SAP/template/systemconfig.json new file mode 100644 index 00000000000..f73988496fe --- /dev/null +++ b/Solutions/SAP/template/systemconfig.json @@ -0,0 +1,96 @@ +{ + "": { + "signature": { + "timestamp": 1684233253361, + "turned_on": true + }, + "secrets_source": { + "secrets": "", + "keyvault": "", + "intprefix": "" + }, + "abap_central_instance": { + "ashost": "", + "sysnr": "", + "user": "", + "sysid": "", + "client": "" + }, + "azure_credentials": { + "loganalyticswsid": "", + "publickey": "" + }, + "file_extraction_abap": { + "osuser": "", + "ospasswd": "", + "appserver": "", + "instance": "", + "x509pkicert": "", + "abapseverity": "", + "abaptz": "" + }, + "file_extraction_java": { + "javaosuser": "", + "javaospasswd": "", + "javaappserver": "", + "javainstance": "", + "javax509pkicert": "", + "javaseverity": "", + "javatz": "" + }, + "logs_activation_status": { + "abapauditlog": "True", + "abapjoblog": "True", + "abapspoollog": "True", + "abapspooloutputlog": "True", + "abapchangedocslog": "True", + "abapapplog": "True", + "abapworkflowlog": "True", + "abapcrlog": "True", + "abaptabledatalog": "False", + "abapfileslogs": "False", + "syslog": "False", + "icm": "False", + "wp": "False", + "gw": "False", + "javafileslogs": "False" + }, + "connector_configuration": { + "extractuseremail": "True", + "apiretry": "False", + "auditlogforcexal": "False", + "auditlogforcelegacyfiles": "False", + "timechunk": "5" + }, + "abap_table_selector": { + "agr_tcodes_full": "True", + "usr01_full": "True", + "usr02_full": "True", + "usr02_incremental": "True", + "agr_1251_full": "True", + "agr_users_full": "True", + "agr_users_incremental": "True", + "agr_prof_full": "True", + "ust04_full": "True", + "usr21_full": "True", + "adr6_full": "True", + "adcp_full": "True", + "usr05_full": "True", + "usgrp_user_full": "True", + "user_addr_full": "True", + "devaccess_full": "True", + "agr_define_full": "True", + "agr_define_incremental": "True", + "pahi_full": "True", + "pahi_incremental": "True", + "agr_agrs_full": "True", + "usrstamp_full": "True", + "usrstamp_incremental": "True", + "agr_flags_full": "True", + "agr_flags_incremental": "True", + "sncsysacl_full": "False", + "usracl_full": "False", + "#selector_config": "[{\n\"log_id\": \"USR02_FULL\",\n\"blocked_cols\": [\"BCODE\", \"OCOD1\", \"OCOD2\", \"OCOD3\", \"OCOD4\", \"OCOD5\", \"PASSCODE\", \"PWDSALTEDHASH\"],\n\"interval_sub_type\": \"days\",\n\"interval_value\": 1,\n\"bulk_size\":10000\n},\n{\n\"log_id\": \"AGR_AGRS_FULL\",\n\"interval_sub_type\": \"days\",\n\"interval_value\": 7,\n\"bulk_size\":10000\n}]" + } + } +}