Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Meraki solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Meraki solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.
\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7695,11 +7333,6 @@ "contentId": "[variables('_workbookContentId1')]", "version": "[variables('workbookVersion1')]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/CiscoMeraki/ReleaseNotes.md b/Solutions/CiscoMeraki/ReleaseNotes.md index 6438c2415c0..821139d8d51 100644 --- a/Solutions/CiscoMeraki/ReleaseNotes.md +++ b/Solutions/CiscoMeraki/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------| +| 3.0.3 | 02012-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 12-08-2024 | Deprecating data connector | | 3.0.1 | 26-07-2023 | Updated **Workbook** template to remove unused variables. | diff --git a/Solutions/CiscoMeraki/data/Solution_CiscoMeraki.json b/Solutions/CiscoMeraki/data/Solution_CiscoMeraki.json index 64c91dd4dbd..873baebe2ad 100644 --- a/Solutions/CiscoMeraki/data/Solution_CiscoMeraki.json +++ b/Solutions/CiscoMeraki/data/Solution_CiscoMeraki.json @@ -2,13 +2,10 @@ "Name": "CiscoMeraki", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Connector/MerakiConnector/logo.jpg\"width=\"75px\"height=\"75px\"){kind=logo}
",
- "Description": "The Cisco Meraki solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The Cisco Meraki solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/CiscoMerakiWorkbook.json"
],
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_CiscoMeraki.json"
- ],
"Parsers": [
"Parsers/CiscoMeraki.yaml"
],
@@ -25,7 +22,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoMeraki",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"TemplateSpec": true,
"Is1Pconnector": false
}
\ No newline at end of file
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml
index ae3ffa5db01..11c34d1682c 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml
@@ -4,9 +4,6 @@ description: |
'Detects when dormant VM was started.'
severity: Medium
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -56,5 +53,5 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: NTDomain
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml
index 378398fe1d6..746e635428c 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -32,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml
index 97945fe4c51..1311148dc16 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -32,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml
index 5c2aa676a86..4e1450bb107 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -45,5 +42,5 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: NTDomain
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml
index 36af4b83d07..6e8e4fea818 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -42,5 +39,5 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: NTDomain
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml
index db02be7d53d..dbdfacb1159 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -38,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml
index 8f567ce5b1a..85be2eae6a0 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -29,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml
index 412e8bd1c1a..2fd7f12c3ff 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml
@@ -5,9 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -39,5 +36,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml
index 9f734afee94..6ddcb5ccba2 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml
@@ -5,9 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -32,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml
index 048eaeae5ae..c44aee5e301 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -38,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml
index 8beda5c7cd9..e8e6ae8c120 100755
--- a/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml
+++ b/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml
@@ -5,9 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
- connectorId: SyslogAma
datatypes:
- Syslog
@@ -34,5 +31,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/VMWareESXi/Data/Solution_VMWareESXi.json b/Solutions/VMWareESXi/Data/Solution_VMWareESXi.json
index f3f6814336c..9160db40291 100644
--- a/Solutions/VMWareESXi/Data/Solution_VMWareESXi.json
+++ b/Solutions/VMWareESXi/Data/Solution_VMWareESXi.json
@@ -2,7 +2,7 @@
"Name": "VMWareESXi",
"Author": "Microsoft - support@microsoft.com",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\")
",
- "Description": "The [VMware ESXi](https://www.vmware.com/in/products/esxi-and-esx.html) solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [VMware ESXi](https://www.vmware.com/in/products/esxi-and-esx.html) solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/VMwareESXi.json"
],
@@ -21,9 +21,6 @@
"Hunting Queries/ESXiVMPoweredOn.yaml",
"Hunting Queries/ESXiVirtualImagesList.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_VMwareESXi.json"
- ],
"Analytic Rules": [
"Analytic Rules/ESXiDormantVMStarted.yaml",
"Analytic Rules/ESXiLowPatchDiskSpace.yaml",
@@ -42,6 +39,6 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VMWareESXi",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml
index dbdb98c6007..f7ff7fef7ab 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for dormant user dormant.'
severity: Low
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml
index 3af4d9d1f77..f219cda57d7 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for download errors.'
severity: Medium
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml
index a00446a8c28..a01a46cc35b 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for download activities.'
severity: Low
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml
index 28f518820af..624395dbe7a 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for failed root logins.'
severity: Medium
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
- PrivilegeEscalation
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml
index da6decb3daa..b711b638030 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for root logins.'
severity: Medium
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
- PrivilegeEscalation
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml
index 17d459eb0ac..ffe11e2fa9d 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for unused VMs.'
severity: Low
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml
index 51033e1a678..ebb0df181fb 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for VMs with high resource consumption.'
severity: Medium
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- Impact
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml
index 6b1de2c6a2b..b55db56d492 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for powered off VMs.'
severity: Medium
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- Impact
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml
index e5ead94dea8..352578ad2d4 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for powered on VMs.'
severity: Low
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml
index 1fbaecc8db1..8e5f38860ea 100755
--- a/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml
+++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml
@@ -4,9 +4,9 @@ description: |
'Query searches for virtual disks (images) seen for VM.'
severity: Low
requiredDataConnectors:
- - connectorId: VMwareESXi
- dataTypes:
- - VMwareESXi
+ - connectorId: SyslogAma
+ datatypes:
+ - Syslog
tactics:
- Impact
relevantTechniques:
diff --git a/Solutions/VMWareESXi/Package/3.0.3.zip b/Solutions/VMWareESXi/Package/3.0.3.zip
new file mode 100644
index 00000000000..eb0032f524d
Binary files /dev/null and b/Solutions/VMWareESXi/Package/3.0.3.zip differ
diff --git a/Solutions/VMWareESXi/Package/createUiDefinition.json b/Solutions/VMWareESXi/Package/createUiDefinition.json
index 9af952eb1d6..9c1c704ae7e 100644
--- a/Solutions/VMWareESXi/Package/createUiDefinition.json
+++ b/Solutions/VMWareESXi/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VMWareESXi/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VMware ESXi](https://www.vmware.com/in/products/esxi-and-esx.html) solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VMWareESXi/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VMware ESXi](https://www.vmware.com/in/products/esxi-and-esx.html) solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for VMWareESXi. You can get VMWareESXi Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -337,7 +306,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for dormant user dormant. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for dormant user dormant. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for download errors. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for download errors. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for download activities. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for download activities. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for failed root logins. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for failed root logins. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for root logins. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for root logins. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for unused VMs. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for unused VMs. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for VMs with high resource consumption. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for VMs with high resource consumption. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for powered off VMs. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for powered off VMs. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for powered on VMs. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for powered on VMs. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -463,7 +432,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for virtual disks (images) seen for VM. This hunting query depends on VMwareESXi data connector (VMwareESXi Parser or Table)"
+ "text": "Query searches for virtual disks (images) seen for VM. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
diff --git a/Solutions/VMWareESXi/Package/mainTemplate.json b/Solutions/VMWareESXi/Package/mainTemplate.json
index b9fd8351593..4862bd8bbf9 100644
--- a/Solutions/VMWareESXi/Package/mainTemplate.json
+++ b/Solutions/VMWareESXi/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "VMWareESXi",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-vmwareesxi",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -52,8 +52,8 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"parserObject1": {
- "_parserName1": "[concat(parameters('workspace'),'/','VMware ESXi Data Parser')]",
- "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VMware ESXi Data Parser')]",
+ "_parserName1": "[concat(parameters('workspace'),'/','VMwareESXi')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VMwareESXi')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VMwareESXi-Parser')))]",
"parserVersion1": "1.1.1",
"parserContentId1": "VMwareESXi-Parser"
@@ -108,91 +108,82 @@
"_huntingQuerycontentId10": "9a90ccdd-2091-447f-bea2-e8a5125c8dde",
"huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9a90ccdd-2091-447f-bea2-e8a5125c8dde')))]"
},
- "uiConfigId1": "VMwareESXi",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "VMwareESXi",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "4cdcd5d8-89df-4076-a917-bc50abb9f2ab",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4cdcd5d8-89df-4076-a917-bc50abb9f2ab')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4cdcd5d8-89df-4076-a917-bc50abb9f2ab')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4cdcd5d8-89df-4076-a917-bc50abb9f2ab','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4cdcd5d8-89df-4076-a917-bc50abb9f2ab','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.1",
+ "analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "48d992ba-d404-4159-a8c6-46f51d1325c7",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48d992ba-d404-4159-a8c6-46f51d1325c7')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48d992ba-d404-4159-a8c6-46f51d1325c7')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48d992ba-d404-4159-a8c6-46f51d1325c7','-', '1.0.1')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48d992ba-d404-4159-a8c6-46f51d1325c7','-', '1.0.2')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
+ "analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "2ee727f7-b7c2-4034-b6c9-d245d5a29343",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2ee727f7-b7c2-4034-b6c9-d245d5a29343')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2ee727f7-b7c2-4034-b6c9-d245d5a29343')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2ee727f7-b7c2-4034-b6c9-d245d5a29343','-', '1.0.1')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2ee727f7-b7c2-4034-b6c9-d245d5a29343','-', '1.0.2')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.2",
+ "analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "bdea247f-7d17-498c-ac0e-c7e764cbdbbe",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bdea247f-7d17-498c-ac0e-c7e764cbdbbe')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bdea247f-7d17-498c-ac0e-c7e764cbdbbe')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bdea247f-7d17-498c-ac0e-c7e764cbdbbe','-', '1.0.2')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bdea247f-7d17-498c-ac0e-c7e764cbdbbe','-', '1.0.3')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "5fe1af14-cd40-48ff-b581-3a12a1f90785",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5fe1af14-cd40-48ff-b581-3a12a1f90785')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5fe1af14-cd40-48ff-b581-3a12a1f90785')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5fe1af14-cd40-48ff-b581-3a12a1f90785','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5fe1af14-cd40-48ff-b581-3a12a1f90785','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.1",
+ "analyticRuleVersion6": "1.0.2",
"_analyticRulecontentId6": "0f4a80de-344f-47c0-bc19-cb120c59b6f0",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f4a80de-344f-47c0-bc19-cb120c59b6f0')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f4a80de-344f-47c0-bc19-cb120c59b6f0')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f4a80de-344f-47c0-bc19-cb120c59b6f0','-', '1.0.1')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f4a80de-344f-47c0-bc19-cb120c59b6f0','-', '1.0.2')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.1",
+ "analyticRuleVersion7": "1.0.2",
"_analyticRulecontentId7": "23a3cf72-9497-408e-8144-87958a60d31a",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '23a3cf72-9497-408e-8144-87958a60d31a')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('23a3cf72-9497-408e-8144-87958a60d31a')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','23a3cf72-9497-408e-8144-87958a60d31a','-', '1.0.1')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','23a3cf72-9497-408e-8144-87958a60d31a','-', '1.0.2')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.2",
+ "analyticRuleVersion8": "1.0.3",
"_analyticRulecontentId8": "deb448a8-6a9d-4f8c-8a95-679a0a2cd62c",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'deb448a8-6a9d-4f8c-8a95-679a0a2cd62c')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('deb448a8-6a9d-4f8c-8a95-679a0a2cd62c')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','deb448a8-6a9d-4f8c-8a95-679a0a2cd62c','-', '1.0.2')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','deb448a8-6a9d-4f8c-8a95-679a0a2cd62c','-', '1.0.3')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.2",
+ "analyticRuleVersion9": "1.0.3",
"_analyticRulecontentId9": "9c496d6c-42a3-4896-9b6c-00254386928f",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9c496d6c-42a3-4896-9b6c-00254386928f')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9c496d6c-42a3-4896-9b6c-00254386928f')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9c496d6c-42a3-4896-9b6c-00254386928f','-', '1.0.2')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9c496d6c-42a3-4896-9b6c-00254386928f','-', '1.0.3')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.1",
+ "analyticRuleVersion10": "1.0.2",
"_analyticRulecontentId10": "395c5560-ddc2-45b2-aafe-2e3f64528d3d",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '395c5560-ddc2-45b2-aafe-2e3f64528d3d')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('395c5560-ddc2-45b2-aafe-2e3f64528d3d')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','395c5560-ddc2-45b2-aafe-2e3f64528d3d','-', '1.0.1')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','395c5560-ddc2-45b2-aafe-2e3f64528d3d','-', '1.0.2')))]"
},
"analyticRuleObject11": {
- "analyticRuleVersion11": "1.0.1",
+ "analyticRuleVersion11": "1.0.2",
"_analyticRulecontentId11": "43889f30-7bce-4d8a-93bb-29c9615ca8dd",
"analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '43889f30-7bce-4d8a-93bb-29c9615ca8dd')]",
"analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('43889f30-7bce-4d8a-93bb-29c9615ca8dd')))]",
- "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','43889f30-7bce-4d8a-93bb-29c9615ca8dd','-', '1.0.1')))]"
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','43889f30-7bce-4d8a-93bb-29c9615ca8dd','-', '1.0.2')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
@@ -206,7 +197,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VMwareESXi Workbook with template version 3.0.2",
+ "description": "VMwareESXi Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -265,6 +256,10 @@
{
"contentId": "VMwareESXi",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "SyslogAma",
+ "kind": "DataConnector"
}
]
}
@@ -294,7 +289,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VMwareESXi Data Parser with template version 3.0.2",
+ "description": "VMwareESXi Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -308,7 +303,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "VMware ESXi Data Parser",
+ "displayName": "Parser for VMwareESXi",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VMwareESXi",
"query": "let datasource = union isfuzzy=true (datatable(Source: string)[]), (_GetWatchlist('ASimSourceType') | where SearchKey == 'VMwareESXi' | project Source);\nlet forwarder_host_names = dynamic(['ESXiserver1', 'ESXiserver2']); // ESXiserver1 and ESXiserver2 are examples, replace this list with your ESXi devices\nlet likely_vmware_hosts = Syslog | where ProcessName has_any (\"vpxd-main\", \"vmkwarning\", \"hostd-probe\") | distinct Computer;\nSyslog\n| where CollectorHostName in (likely_vmware_hosts) or Computer in (likely_vmware_hosts) or CollectorHostName in (forwarder_host_names) or Computer in (forwarder_host_names) or CollectorHostName in (datasource) or Computer in (datasource) \n| extend Parser = extract_all(@\"^(\\w+)?\\s?(\\w+)\\[(\\w+)\\]\\s([\\s\\S]+)\", dynamic([1,2,3,4]), SyslogMessage)[0]\n| extend Substring = iif(isnotempty(Parser), tostring(Parser[3]),\"\")\n| extend Sub = iif(Substring has (\"sub=\"), extract(@\"sub=([\\w\\d\\(\\)\\-\\.]+)\\]?\",1, Substring), dynamic(\"\")),\n\t OpId = iif(Substring has (\"opID=\"), extract(@\"opID=([\\w\\d\\(\\)\\-@]+)\\s?\\]?\",1, Substring), dynamic(\"\")),\n UserName = iif(Substring has(\"suser=\"), extract(@\"\\suser=([\\w\\d\\(\\)\\-]+)\\]\",1, Substring), dynamic (\"\"))\n| extend Message = iif(isnotempty(Substring), extract(@\"\\[([\\S\\s]+)\\]\\s([\\S\\s]+)\",2, Substring), \"\")\n| extend Message = iif(isempty(Message),SyslogMessage,Message)\n| extend Message = trim(@\"^-- \", Message)\n| project-away Substring, Parser\n",
@@ -330,7 +325,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VMware ESXi Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VMwareESXi')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -360,7 +355,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
- "displayName": "VMware ESXi Data Parser",
+ "displayName": "Parser for VMwareESXi",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.1')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.1')))]",
"version": "[variables('parserObject1').parserVersion1]"
@@ -373,7 +368,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "VMware ESXi Data Parser",
+ "displayName": "Parser for VMwareESXi",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VMwareESXi",
"query": "let datasource = union isfuzzy=true (datatable(Source: string)[]), (_GetWatchlist('ASimSourceType') | where SearchKey == 'VMwareESXi' | project Source);\nlet forwarder_host_names = dynamic(['ESXiserver1', 'ESXiserver2']); // ESXiserver1 and ESXiserver2 are examples, replace this list with your ESXi devices\nlet likely_vmware_hosts = Syslog | where ProcessName has_any (\"vpxd-main\", \"vmkwarning\", \"hostd-probe\") | distinct Computer;\nSyslog\n| where CollectorHostName in (likely_vmware_hosts) or Computer in (likely_vmware_hosts) or CollectorHostName in (forwarder_host_names) or Computer in (forwarder_host_names) or CollectorHostName in (datasource) or Computer in (datasource) \n| extend Parser = extract_all(@\"^(\\w+)?\\s?(\\w+)\\[(\\w+)\\]\\s([\\s\\S]+)\", dynamic([1,2,3,4]), SyslogMessage)[0]\n| extend Substring = iif(isnotempty(Parser), tostring(Parser[3]),\"\")\n| extend Sub = iif(Substring has (\"sub=\"), extract(@\"sub=([\\w\\d\\(\\)\\-\\.]+)\\]?\",1, Substring), dynamic(\"\")),\n\t OpId = iif(Substring has (\"opID=\"), extract(@\"opID=([\\w\\d\\(\\)\\-@]+)\\s?\\]?\",1, Substring), dynamic(\"\")),\n UserName = iif(Substring has(\"suser=\"), extract(@\"\\suser=([\\w\\d\\(\\)\\-]+)\\]\",1, Substring), dynamic (\"\"))\n| extend Message = iif(isnotempty(Substring), extract(@\"\\[([\\S\\s]+)\\]\\s([\\S\\s]+)\",2, Substring), \"\")\n| extend Message = iif(isempty(Message),SyslogMessage,Message)\n| extend Message = trim(@\"^-- \", Message)\n| project-away Substring, Parser\n",
@@ -396,7 +391,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VMware ESXi Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VMwareESXi')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -426,7 +421,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiDormantUsers_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiDormantUsers_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -511,7 +506,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiDownloadErrors_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiDownloadErrors_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -596,7 +591,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiNFCDownloadActivities_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiNFCDownloadActivities_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -681,7 +676,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiRootLoginFailure_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiRootLoginFailure_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -766,7 +761,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiRootLogins_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiRootLogins_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -851,7 +846,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiUnusedVMs_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiUnusedVMs_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -936,7 +931,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiVMHighLoad_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiVMHighLoad_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -1021,7 +1016,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiVMPoweredOff_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiVMPoweredOff_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -1106,7 +1101,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiVMPoweredOn_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiVMPoweredOn_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1191,7 +1186,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiVirtualImagesList_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ESXiVirtualImagesList_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1267,353 +1262,6 @@
"version": "1.0.0"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "VMWareESXi data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] VMware ESXi",
- "publisher": "VMWare",
- "descriptionMarkdown": "The [VMware ESXi](https://www.vmware.com/products/esxi-and-esx.html) connector allows you to easily connect your VMWare ESXi logs with Microsoft Sentinel This gives you more insight into your organization's ESXi servers and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "VMwareESXi",
- "baseQuery": "VMwareESXi"
- }
- ],
- "sampleQueries": [
- {
- "description": "Total Events by Log Type",
- "query": "VMwareESXi \n| summarize count() by ProcessName"
- },
- {
- "description": "Top 10 ESXi Hosts Generating Events",
- "query": "VMwareESXi \n | summarize count() by HostName \n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (VMwareESXi)",
- "lastDataReceivedQuery": "VMwareESXi \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "VMwareESXi \n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "VMwareESXi",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias VMwareESXi and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Parsers/VMwareESXi.yaml), on the second line of the query, enter the hostname(s) of your VMwareESXi device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Follow these instructions to configure the VMWare ESXi to forward syslog: \n - [VMware ESXi 3.5 and 4.x](https://kb.vmware.com/s/article/1016621) \n - [VMware ESXi 5.0+](https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.monitoring.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html)\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the VMware ESXi"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "VMWareESXi",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] VMware ESXi",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "VMWareESXi",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] VMware ESXi",
- "publisher": "VMWare",
- "descriptionMarkdown": "The [VMware ESXi](https://www.vmware.com/products/esxi-and-esx.html) connector allows you to easily connect your VMWare ESXi logs with Microsoft Sentinel This gives you more insight into your organization's ESXi servers and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "VMwareESXi",
- "baseQuery": "VMwareESXi"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (VMwareESXi)",
- "lastDataReceivedQuery": "VMwareESXi \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "VMwareESXi \n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Total Events by Log Type",
- "query": "VMwareESXi \n| summarize count() by ProcessName"
- },
- {
- "description": "Top 10 ESXi Hosts Generating Events",
- "query": "VMwareESXi \n | summarize count() by HostName \n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ],
- "customs": [
- {
- "name": "VMwareESXi",
- "description": "must be configured to export logs via Syslog"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias VMwareESXi and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Parsers/VMwareESXi.yaml), on the second line of the query, enter the hostname(s) of your VMwareESXi device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux"
- },
- {
- "description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "OpenSyslogSettings"
- },
- "type": "InstallAgent"
- }
- ],
- "title": "2. Configure the logs to be collected"
- },
- {
- "description": "1. Follow these instructions to configure the VMWare ESXi to forward syslog: \n - [VMware ESXi 3.5 and 4.x](https://kb.vmware.com/s/article/1016621) \n - [VMware ESXi 5.0+](https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.monitoring.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html)\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "3. Configure and connect the VMware ESXi"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -1623,7 +1271,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiDormantVMStarted_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiDormantVMStarted_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1650,12 +1298,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -1674,12 +1316,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
]
}
@@ -1737,7 +1379,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiLowPatchDiskSpace_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiLowPatchDiskSpace_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1764,12 +1406,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -1788,8 +1424,8 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
]
}
@@ -1847,7 +1483,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiLowTempDirSpace_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiLowTempDirSpace_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1874,12 +1510,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -1898,8 +1528,8 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
]
}
@@ -1957,7 +1587,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiMultipleNewVM_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiMultipleNewVM_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1984,12 +1614,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2008,12 +1632,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
]
}
@@ -2071,7 +1695,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiMultipleVMStopped_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiMultipleVMStopped_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2098,12 +1722,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2122,12 +1740,12 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "Name",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "columnName": "DnsDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
}
]
},
@@ -2135,12 +1753,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
]
}
@@ -2198,7 +1816,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiNewVM_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiNewVM_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2225,12 +1843,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2249,8 +1861,8 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
]
}
@@ -2308,7 +1920,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiRootImpersonation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiRootImpersonation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2335,12 +1947,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2359,8 +1965,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -2418,7 +2024,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiRootLogin_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiRootLogin_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2445,12 +2051,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2470,8 +2070,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2529,7 +2129,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiSharedOrStolenRootAccount_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiSharedOrStolenRootAccount_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2556,12 +2156,6 @@
"triggerThreshold": 1,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2581,8 +2175,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2640,7 +2234,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiUnexpectedDiskImage_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiUnexpectedDiskImage_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2667,12 +2261,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2691,8 +2279,8 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
]
}
@@ -2750,7 +2338,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ESXiVMStopped_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ESXiVMStopped_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -2777,12 +2365,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "VMwareESXi",
- "dataTypes": [
- "VMwareESXi"
- ]
- },
{
"connectorId": "SyslogAma",
"datatypes": [
@@ -2801,8 +2383,8 @@
"entityType": "Host",
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
]
},
@@ -2810,8 +2392,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -2865,12 +2447,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "VMWareESXi",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe VMware ESXi solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe VMware ESXi solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2954,11 +2536,6 @@ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/VMWareESXi/ReleaseNotes.md b/Solutions/VMWareESXi/ReleaseNotes.md index 8cfa2aebf5e..b937486e135 100644 --- a/Solutions/VMWareESXi/ReleaseNotes.md +++ b/Solutions/VMWareESXi/ReleaseNotes.md @@ -1,6 +1,7 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|-----------------------------------------------------------| -| 3.0.2 | 01-08-2024 |Update **Parser** as part of Syslog migration | -| | |Deprecating data connectors | -| 3.0.1 | 30-04-2024 | Repackaged for parser name issue | -| 3.0.0 | 15-04-2024 | Updated **Parser** VMwareESXi.yaml to automatic update applicable logs | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.3 | 02-12-2024 | Removed Deprecated **Data connectors** | +| 3.0.2 | 01-08-2024 | Update **Parser** as part of Syslog migration | +| | | Deprecating data connectors | +| 3.0.1 | 30-04-2024 | Repackaged for parser name issue | +| 3.0.0 | 15-04-2024 | Updated **Parser** VMwareESXi.yaml to automatic update applicable logs | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index f47334bec0a..2f07a917805 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -3253,7 +3253,7 @@ "Syslog" ], "dataConnectorsDependencies": [ - "VMwareESXi" + "SyslogAma" ], "previewImagesFileNames": [ "VMWareESXiBlack.png", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 0cc38478933..da2b89e10d4 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -4053,7 +4053,6 @@ "Syslog" ], "dataConnectorsDependencies": [ - "VMwareESXi", "SyslogAma" ], "previewImagesFileNames": [