diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
index 61639766c0f..710ff06ab9c 100644
--- a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
@@ -1,7 +1,7 @@
id: dc7af829-d716-4774-9d6f-03d9aa7c27a4
name: Infoblox - High Threat Level Query Not Blocked Detected
description: |
- 'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+ 'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
severity: Medium
status: Available
requiredDataConnectors:
@@ -63,5 +63,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
index 5fef11bdd9a..c56f9679f86 100644
--- a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
@@ -1,7 +1,7 @@
id: 99278700-79ca-4b0f-b416-bf57ec699e1a
name: Infoblox - Many High Threat Level Single Query Detected
description: |
- 'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+ 'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
severity: Medium
status: Available
requiredDataConnectors:
@@ -47,5 +47,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
index fd8489eb3ce..c49af07ada3 100644
--- a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
@@ -1,7 +1,7 @@
id: 568730be-b39d-45e3-a392-941e00837d52
name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
description: |
- 'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+ 'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
severity: Medium
status: Available
requiredDataConnectors:
@@ -75,5 +75,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json b/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json
index aa6effa62c0..b769a0cf022 100644
--- a/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json
+++ b/Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json
@@ -123,7 +123,7 @@
},
{
"title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent",
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n2. Navigate to **Manage > Data Connector**.\n3. Click the **Destination Configuration** tab at the top.\n4. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Azure-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n5. Click the **Traffic Flow Configuration** tab at the top.\n6. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Azure-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **CDC Enabled Host** section. \n - **On-Prem Host**: Select your desired on-prem host for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n7. Allow the configuration some time to activate."
+ "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate."
},
{
"title": "3. Validate connection",
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/3.0.0.zip b/Solutions/Infoblox Cloud Data Connector/Package/3.0.0.zip
index fa819f766a6..f354f27d0c5 100644
Binary files a/Solutions/Infoblox Cloud Data Connector/Package/3.0.0.zip and b/Solutions/Infoblox Cloud Data Connector/Package/3.0.0.zip differ
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json b/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
index d062e6418eb..a46f3200f1f 100644
--- a/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
+++ b/Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
@@ -1,302 +1,302 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
- "handler": "Microsoft.Azure.CreateUIDef",
- "version": "0.1.2-preview",
- "parameters": {
- "config": {
- "isWizard": false,
- "basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
- "subscription": {
- "resourceProviders": [
- "Microsoft.OperationsManagement/solutions",
- "Microsoft.OperationalInsights/workspaces/providers/alertRules",
- "Microsoft.Insights/workbooks",
- "Microsoft.Logic/workflows"
- ]
- },
- "location": {
- "metadata": {
- "hidden": "Hiding location, we get it from the log analytics workspace"
+ {
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n **Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md). \r \n • Review the TIDE Threat Intelligence playbooks and their installation [here](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Playbooks). \r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution. \n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
},
- "visible": false
- },
- "resourceGroup": {
- "allowExisting": true
- }
- }
- },
- "basics": [
- {
- "name": "getLAWorkspace",
- "type": "Microsoft.Solutions.ArmApiControl",
- "toolTip": "This filters by workspaces that exist in the Resource Group selected",
- "condition": "[greater(length(resourceGroup().name),0)]",
- "request": {
- "method": "GET",
- "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
}
},
- {
- "name": "workspace",
- "type": "Microsoft.Common.DropDown",
- "label": "Workspace",
- "placeholder": "Select a workspace",
- "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
- "constraints": {
- "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
- "required": true
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
},
- "visible": true
- }
- ],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
},
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-parser-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
}
}
- }
- ]
- },
- {
- "name": "workbooks",
- "label": "Workbooks",
- "subLabel": {
- "preValidation": "Configure the workbooks",
- "postValidation": "Done"
+ ]
},
- "bladeTitle": "Workbooks",
- "elements": [
- {
- "name": "workbooks-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
- }
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
},
- {
- "name": "workbooks-link",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more",
- "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
- }
- },
- {
- "name": "workbook1",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox Cloud Data Connector",
- "elements": [
- {
- "name": "workbook1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Sets the time name for analysis"
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
- ]
- }
- ]
- },
- {
- "name": "analytics",
- "label": "Analytics",
- "subLabel": {
- "preValidation": "Configure the analytics",
- "postValidation": "Done"
- },
- "bladeTitle": "Analytics",
- "elements": [
- {
- "name": "analytics-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox Cloud Data Connector Workbook",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time."
+ }
+ }
+ ]
}
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
},
- {
- "name": "analytics-link",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more",
- "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
- }
- },
- {
- "name": "analytic1",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - Data Exfiltration Attack",
- "elements": [
- {
- "name": "analytic1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
- ]
- },
- {
- "name": "analytic2",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - High Threat Level Query Not Blocked Detected",
- "elements": [
- {
- "name": "analytic2-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - Data Exfiltration Attack",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more."
+ }
}
- }
- ]
- },
- {
- "name": "analytic3",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - Many High Threat Level Queries From Single Host Detected",
- "elements": [
- {
- "name": "analytic3-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - High Threat Level Query Not Blocked Detected",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more."
+ }
}
- }
- ]
- },
- {
- "name": "analytic4",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - Many High Threat Level Single Query Detected",
- "elements": [
- {
- "name": "analytic4-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+ ]
+ },
+ {
+ "name": "analytic3",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - Many High Threat Level Queries From Single Host Detected",
+ "elements": [
+ {
+ "name": "analytic3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more."
+ }
}
- }
- ]
- },
- {
- "name": "analytic5",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - Many NXDOMAIN DNS Responses Detected",
- "elements": [
- {
- "name": "analytic5-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
+ ]
+ },
+ {
+ "name": "analytic4",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - Many High Threat Level Single Query Detected",
+ "elements": [
+ {
+ "name": "analytic4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more."
+ }
}
- }
- ]
- },
- {
- "name": "analytic6",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - TI - CommonSecurityLog Match Found - MalwareC2",
- "elements": [
- {
- "name": "analytic6-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "CommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
+ ]
+ },
+ {
+ "name": "analytic5",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - Many NXDOMAIN DNS Responses Detected",
+ "elements": [
+ {
+ "name": "analytic5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more."
+ }
}
- }
- ]
- },
- {
- "name": "analytic7",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
- "elements": [
- {
- "name": "analytic7-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+ ]
+ },
+ {
+ "name": "analytic6",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - TI - CommonSecurityLog Match Found - MalwareC2",
+ "elements": [
+ {
+ "name": "analytic6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "CommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
+ }
}
- }
- ]
- },
- {
- "name": "analytic8",
- "type": "Microsoft.Common.Section",
- "label": "Infoblox - TI - Syslog Match Found - URL",
- "elements": [
- {
- "name": "analytic8-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
+ ]
+ },
+ {
+ "name": "analytic7",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
+ "elements": [
+ {
+ "name": "analytic7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
+ }
}
- }
- ]
- }
- ]
- },
- {
- "name": "playbooks",
- "label": "Playbooks",
- "subLabel": {
- "preValidation": "Configure the playbooks",
- "postValidation": "Done"
- },
- "bladeTitle": "Playbooks",
- "elements": [
- {
- "name": "playbooks-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ ]
+ },
+ {
+ "name": "analytic8",
+ "type": "Microsoft.Common.Section",
+ "label": "Infoblox - TI - Syslog Match Found - URL",
+ "elements": [
+ {
+ "name": "analytic8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
+ }
+ }
+ ]
}
+ ]
+ },
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
},
- {
- "name": "playbooks-link",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more",
- "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
}
}
- }
- ]
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
}
- ],
- "outputs": {
- "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
- "location": "[location()]",
- "workspace": "[basics('workspace')]"
}
}
-}
diff --git a/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json b/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
index 77bf8454296..862fb88f735 100644
--- a/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
+++ b/Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
@@ -57,7 +57,7 @@
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.0",
+ "analyticRuleVersion2": "1.0.1",
"analyticRulecontentId2": "dc7af829-d716-4774-9d6f-03d9aa7c27a4",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
@@ -69,7 +69,7 @@
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.0",
+ "analyticRuleVersion4": "1.0.1",
"analyticRulecontentId4": "99278700-79ca-4b0f-b416-bf57ec699e1a",
"_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
@@ -87,7 +87,7 @@
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.0.0",
+ "analyticRuleVersion7": "1.0.1",
"analyticRulecontentId7": "568730be-b39d-45e3-a392-941e00837d52",
"_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
@@ -233,7 +233,7 @@
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
- "description": "Sets the time name for analysis"
+ "description": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
@@ -248,7 +248,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=InfobloxCDCB1TDWorkbook; logoFileName=infoblox_logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Infoblox Cloud Data Connector; templateRelativePath=InfobloxCDCB1TDWorkbook.json; subtitle=; provider=InfoBlox}.description",
+ "description": "@{workbookKey=InfobloxCDCB1TDWorkbook; logoFileName=infoblox_logo.svg; description=Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Infoblox Cloud Data Connector; templateRelativePath=InfobloxCDCB1TDWorkbook.json; subtitle=; provider=InfoBlox}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
@@ -473,7 +473,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).",
+ "description": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
"displayName": "Infoblox - High Threat Level Query Not Blocked Detected",
"enabled": false,
"query": "let threshold = 1;\nInfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n| where ThreatLevel_Score >=80\n| where InfobloxB1PolicyAction == \"Log\" or SimplifiedDeviceAction == \"PASSTHRU\"\n| summarize count() by SourceIP\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n | where DeviceEventClassID has_cs \"RPZ\"\n | where ThreatLevel_Score >=80\n | where InfobloxB1PolicyAction == \"Log\" or SimplifiedDeviceAction == \"PASSTHRU\"\n ) on SourceIP\n",
@@ -759,7 +759,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).",
+ "description": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
"displayName": "Infoblox - Many High Threat Level Single Query Detected",
"enabled": false,
"query": "let threshold = 200;\nInfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n| where ThreatLevel_Score >= 80\n| summarize count() by DestinationDnsDomain\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n | where DeviceEventClassID has_cs \"RPZ\"\n | where ThreatLevel_Score >= 80\n ) on DestinationDnsDomain\n",
@@ -1158,7 +1158,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).",
+ "description": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
"displayName": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
"enabled": false,
"query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now() \n| where Description == \"Infoblox - HOST - Policy\"\n| where Tags has_cs \"Property: Policy_LookalikeDomains\" \n| where isnotempty(DomainName)\n;\nlet Data = InfobloxCDC\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n| where isnotempty(DestinationDnsDomain)\n//Remove trailing period at end of domain\n| extend DestinationDnsDomain = trim_end(@\"\\.$\", DestinationDnsDomain)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
@@ -1583,7 +1583,7 @@
"title": "1. Linux Syslog agent configuration"
},
{
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n2. Navigate to **Manage > Data Connector**.\n3. Click the **Destination Configuration** tab at the top.\n4. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Azure-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n5. Click the **Traffic Flow Configuration** tab at the top.\n6. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Azure-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **CDC Enabled Host** section. \n - **On-Prem Host**: Select your desired on-prem host for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n7. Allow the configuration some time to activate.",
+ "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.",
"title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"
},
{
@@ -1804,7 +1804,7 @@
"title": "1. Linux Syslog agent configuration"
},
{
- "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n2. Navigate to **Manage > Data Connector**.\n3. Click the **Destination Configuration** tab at the top.\n4. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Azure-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n5. Click the **Traffic Flow Configuration** tab at the top.\n6. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Azure-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **CDC Enabled Host** section. \n - **On-Prem Host**: Select your desired on-prem host for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n7. Allow the configuration some time to activate.",
+ "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.",
"title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"
},
{