From 5ad8bb5c60e9b6ecb73e464f4a6fae44be125c90 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Wed, 13 Sep 2023 14:06:02 +0530 Subject: [PATCH 1/4] Repackaging - ExtraHop Reveal(x) (MMA to AMA Migration) --- .../template_ExtraHopNetworks.JSON | 2 +- .../template_ExtraHopReveal(x)AMA.JSON | 136 +++++ .../Data/Solution_ExtraHop Reveal(x).json | 7 +- .../ExtraHop Reveal(x)/Package/3.0.0.zip | Bin 0 -> 11270 bytes .../Package/createUiDefinition.json | 17 +- .../Package/mainTemplate.json | 483 ++++++++++++++++-- Solutions/ExtraHop Reveal(x)/ReleaseNotes.md | 5 + .../WorkbookMetadata/WorkbooksMetadata.json | 3 +- 8 files changed, 593 insertions(+), 60 deletions(-) create mode 100644 Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON create mode 100644 Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip create mode 100644 Solutions/ExtraHop Reveal(x)/ReleaseNotes.md diff --git a/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON index eca806d508b..c6e18aeff67 100644 --- a/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON +++ b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON @@ -1,6 +1,6 @@ { "id": "ExtraHopNetworks", - "title": "ExtraHop Reveal(x)", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", "publisher": "ExtraHop Networks", "logo": "ExtraHopLogo.svg", "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", diff --git a/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON new file mode 100644 index 00000000000..1518e48b2ad --- /dev/null +++ b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON @@ -0,0 +1,136 @@ +{ + "id": "ExtraHopNetworksAma", + "title": "[Recommended] ExtraHop Reveal(x) via AMA", + "publisher": "ExtraHop Networks", + "logo": "ExtraHopLogo.svg", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": "", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [ + ] + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.", + "instructions": [ + ] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ], + "metadata": { + "id": "3c3af19d-b178-44cd-a130-c48b366758c4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "ExtraHop Networks" + }, + "support": { + "name": "ExtraHop Networks", + "link": "https://www.extrahop.com/support/", + "tier": "developer" + } + } +} \ No newline at end of file diff --git a/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json b/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json index dc3ac8c69b8..1c175cd5068 100644 --- a/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json +++ b/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json @@ -2,16 +2,17 @@ "Name": "ExtraHop Reveal(x)", "Author": "ExtraHop", "Logo": "", - "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities./n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:/na. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)", + "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Data Connectors": [ - "Data Connectors/template_ExtraHopNetworks.json" + "Data Connectors/template_ExtraHopNetworks.json", + "Data Connectors/template_ExtraHopReveal(x)AMA.json", ], "Workbooks": [ "Workbooks/ExtraHopDetectionSummary.json" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\ExtraHop Reveal(x)", - "Version": "2.0.1", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip b/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..b27b18d2854e61716650a9a4cb17a9da723d0f58 GIT binary patch literal 11270 zcmZ{~Q*b3t^r#yf6Wg}!WWpWWwrxyo+Y_5Rwv&l%+sPyo?%@3X_g3AyRp*@UhgGYq zdp)eDZ*_gj07xiIFfcGUusKI2t$tudjwc)#7%u@B7|wsEX08?{?iLz0KP@b69Btff zoE({L-JBd}w67eGIj|A00dY;Z`6iGw|3l*wnfezVui z55t@DA!kqSP6}d-hoi_}xx2om6hxjY4@a}3;|3y9bYScS1kh=+XDVI__RyuL?pYn| z)y@WC$@kQzoi(9HnD0zXSl4JV=lSgtp>X}x#YL3*xs9RO&)jj4?Mw7Qu>%K z-v-N@@(lZyoQoUDP+yzX;*_yHIpG=Yf{RFir_-VPP-vdPYFEq?i%m4lV?u7A%M4&Z zqU0BkYW$m_{;jlkqQ$@jcg1{ts^kDSyC>cH_rc33tYEn~ zb(LLVzxHwL$LnjuX7uBc*>fHGHiG4d9PTNnTa__GUE1!1pb4O9QHnKNZ#=yi!`G>m z{!gA;8>@XXFzEBB@H$_*`6Xwk7X!-+-SSR4zBj!t64_lUYHad_3s_gy&nFPfI=FH^ z?5zp7hZtfccEajXfaaWgrHC{3Lhal=me!eYSOPb~LUt>Ot=DL1jS{^>9)iLGH7m%j+JE_zGSf*TEpSQ>8x;E@XKA!Hj;Sq)ont z9Q126Q+3cfC4B%qj7HM6j5!KviTZ%gHJO=2Cj+s4;k1Zmaf$1d4cSVwnA}kPg9-xn zmM!*!(|mkf0(MY&_LRqsa;im@?=*p<)P|WHmZel2%Un8?55fX9lWEbA>X;$-Okap! z9qAczxeYoIioqe(f^YvRdeD)Ro)l^ZqZ;vA*Etm!CmzS*al!8@;+MOlqHAxah}OVr z2cQYhXPI$Oowk*zNY+;H85<8<XynRDcEJd20z?K!6Xl1GTA2{Ckl+T+N_5>q7s{R+}Ntj=+dgmZNdD z)vS#X!C`>Se9y<*@jl`82l6!VJc+hiC1zd}MTJ<*Njz`VqR3pmNR-E)?rOP6MlY-o zbxZqqF+Ip1H^yIgbI156m?DSllX#rn-aoUMl-yZr(NMzP<@dqDJoK9#Qnv_6r+LC2 zi1-gSkN|e&+(^dM8~LTClo&)VnJh~L5CWSr#14uk{AjbUyhr^0W+Wx%Pcj%&iqOyNL}a5^nD zh8I`tsLfRxGu8c!wTBsotmZ)puyfZz`gg|ZXAqFo*L6_GVUelw2>e=L-AyQPuy(ha zC$s^04v$^==z;sOof9K2kd$mSqMT9Z;-K@L#%X@)>DK7UYC`oHHk1~F=UgsudxO!y zponp++)z93t>ChvLg2TEKgV>86O^%K%&hxozFrK)rA=UDCis#jjFIW^7Uad%bFHbQMK;Sw%zycbC_3v)RzXq zR3^@5e^;g~i@YDSyR>`zGc3SDM%x|hpQpfml@cLZ&>WWjEm78AQ+4R$O1Z=Z6%p`+ zv4flmn%Z&#AditUpgedlA+HZcTCG3yY#d`X?oCn!4<8NH?k7%@gX|^xO0egiI%=)%s8uYi z#)_wY6R5R3}!k#dHqh63FMDCJqgBV-;}}`^0Gpi5$c- zP&aU!my06$V-3-_lYF^QjeqPJp|!b=GF!Lex=Ib1!BJcxd9&}yZA3rkx;2bu#M=4LQ0thqP^MVGIW*fU=+~vDfp}cU-|_ba-R#h8Mm0 zPLd}Mmcp=(lI(b)CMAe<*_&CLD|EJj}y*do0ObCW z9UNpZ`R$dmnNDkyQe&eT5R|>x4p(^C0JzZ_^m%us+*9LQdfOLAlv(->gBh6;_w_6$ zsO;+0?6bHA+A;DQd%@b`|GSIAVKXrV&Cr}2 zUwyjJ`Zwfuv$sC4ch=`~yF&{sW`--Jn|G3;EE8KS4<54)MLs}0%Ksm#9GNm{=>@tQ zq>zJw6(fU#q5X#{4kk8^>J|>p_WuFP{{tyELN~5kQYqgJwtFUuow~9*A((W0UukzO zDfyMA0>Xgkt66nAQdaUN7;qRcDvpGPXSUm~9pHA!b*lc0KNzGj3<;*i6nFB@PY6q2 zU*C5--!AF9?|({R_8)+2`SaynZ&7Y)S@u|xf4(0IUbe8$S&BAE?l*g9XgB-^>i)5Q zq4{3{c2;wn7cct!kHgSy0%c3tPBbl`c3z~ujq^tEJXV?gEf&t0Ue*DZ_Z^}SY5&5- z5ziYaHt$51{d6HEYLhU9!X5xQDAIXsi``m{kZvrIrbt8yj9PZ2RQ}z0bmQ# zyKCcVyn_|qoKCREMN3i{dz2VgXFChh$$J7J%%=m1|z?Qp0j3Eq`q%0?Df0| z7kWuGvJaYl?~S%5oTZ2iBnf}qSoPFOa4jFAS1=ri$)CuD&*L@>gU=pczDZgTBm*yF z_K-zS$tD^fNhsG$>47F6fq#3-#vS3$4s+XU{ay2m;HlP*M8^giP^VPx21h7x7O5Xuxd5 z^+}4iQLhmg^Wi$%Jz^1YJj21Csh|TAlI<`srpVbO>qVaj-(<}XT9t@CY=EgQGppqv zeVx4lnj$aTX$+Q@r)^SdflT8R;G~ns`#QYTu)#Mh=yTB~Og2CNxXncm@%G3}z{4fu zD3fIJl>hP95I8X%wdg~0>iIhe4cc5y=g+vUnPN`gBO`e`pcVB z)U_Y|(D&L=aw9R9PQWWDXCX?q?1n@l@h@exUlr0=E>W?Z^E>#@4hc+Jn&oV1!)6(= z<3@4T$x``LD_=3CBK}47g`bfMoreXWkr4a3ID346|r~!3|;2m zI!mZ^?iukYREfUA)Ived1J0f}aj)A_Myh*->vqn_D0;?x0fDGDORFUh?hVv1rTs7^ z(E(OZD}zLJecm)FjI*Qc3@ybz(cki3XxU}y3aYmh*F)XS5uz|xq&r(%aO(U4a{ zNk3(}&6U!sVp)|I*mjK;Smd96^O`Mgz}~WAA#2)ANeJ1sk=keTSozq>6dx$Sxc+?V zo4c)a?AqcAoo6P#DvLN@=in)HAPYrPRqiMao0wJ!z3_@@L8_`y@ZR#Yu!v8DLV2ZJ zT7f2g%`#7eswRG1Y)Eq)at}Te6K%@cBzrN1wya=Gt&u(spRr2@K%V_Mv!E1-ER9CT z7T|6)dOdQShAiDR81~k4;KqEHn}grE%ZR`tv>rY#B*sh^Q^kU!e3M;qtq3C!YC!zE z$+Gd~{ycqA{rY(Nw3_lVMkYyr!2BpaqpZ$8x7IT(fERiDwStra(eL}>6Z}tP+v6(n zQnAEu*U;u0kts_U08|uJLDwjz+N^`YRIYqT8chPFQ0GI6EcRm8F+k3>TLH$~)-PDU z;v?($blCSoRFSU7%Dh@0D-Y|}afvI*1Bse*juSpx>Ky2!fqrcbFW)v*8C@d2;TDqQQpvB0Uj@Sc4nqPkg8vbtUC6sV{iQL=69J^ zOiHB-3e$h>IiwOcdZj=}i@;NPk;kB+&MZ(USZKOooEXH_Tm*CCCV4XyEb4^gqLY$F z$p3IAtiCB6yxVzowYRRfjz9DKw~E}b&YrJWiSjoDrU<+QRVU01DNt45`6K)z!HJ^G zsV7Qo!?~^`8dW^VTmhH7AWmGs^$5jd{o@e!Y*` zn4p0x|6fz@%y~8|1NLWTsz6o>zvDMjGu~C)G<>Ow)`f?K@##)Kd9=_qW%Hg0Xz`MJS%}C zEP>!1P59if@FE&#%b56_t5T~m3ARs3RJYpldkeu*7)d=TD2X=?on1Fc%}Fj>T!PDl zJQ2KA)6M@2T$vl)#jAm5{W^CY_0G*|rD*w!WP` zU!d7e`|Ou%%y+=N5NImMkpkuuh0oa_QE!N5F(6LBnr%3i>4!)T*uZ8{A(W$yv3HQ! za7f!bL2dU()c1L=>!ENbl!E{HmW#iCOCb}btOTTtqrJ zea@4qQcgJ@rl2xI_DaXpGg-qH*M@aBe#tET{MF)d7WwMhl$_gih z_X7+Z31(vcsS+ySkC{4XR+<4vy)DP#!F;I*A(aI>IQdF|2G>mLFe<08pD{_q7=DC~ zJ09)G0LUxnPcDguQ_P9pW&S_N+R?S zhh))FqD#b^HmvfMVQ^KdFp_Hm610-5%MQI=8eNAS+Z&#cSM z3!z-(`|=9IX+{HR6jz=v)oZbu}}1Tx_jg%-H*2*?i%5F#%84buC)CAhx(!iozEHz19q zs;xy#+gkIQ>zp=lx-l8TQ(y;frN=t6SRvOX=B3xBh{Nuk^OF^a@2L#VthS*Zr4k&y1OknAo0A0c(%=k3dr7?VboVUx$8 zP07ZY#P4UKQ4Kg&YV`bSJ>iSI2Wj;F1ScEBt0E&4UO~^0k_PPv%ZDe!^2(09+KUZV z-N+j!Xng1!X7F3*N#*>epg=h-hv+BQ5f$sz18YrTkP8(rWtq7ckz9mkWqYQDb-xCS zCPpAN`Bn5nS2S3L6Ao_cu)bT;ELkdni?94L+^I)~rV&vGeFOWGolOz9L-~Q89G$kO zXIZYYkpo}o3NN_iQk*Z(LqDpQJHICpMRU0Fi++I=HvKTu1pid<|S3S#IUaS2! zn@@;IMeG9;xJJi`n}zIA(J!rtYJ`Ay?e)hE#5931zHW(*dU=IxJEoRSBIzXE|dT3C(K5=(|h^ zE`3DHv2<~r+!ic%d+leUL++)!cDGrcvS1t)5(R1z9?S(ydQGj$u`7mbIxU>Gc<#a`3LUz*s z>4|&o@n?=vE(da$gMEKgNtz~XE{4(*>Tq_BwbSd!^csXxD0<iDJcgPP8g2;HVuo!dednH!U0KQ!@hr%|l_XiNQ8C#Q>R zrNE8At2~_{)y=G$V9kdTxi=Z1putU?o-m0L;VcV^9e((D%s**})Pkop3c8CtUA@jz zOt+h4&6RAR{DXXrI`utwF@|rce#g;aESo3Tgve4(tyfJZSypdWe9sMAf_lZNz@lhk zoGNz)lR|Q8X(aDg)iKdSjwLh=@jL#2K1KmT+kXg;^9icwy4>rvy1C)2w|MdLVzj#3 zwSMWoyWQIDwq+{D)j;yje+7wp_=xTrTM2^wbU0?{m!a^JkytY~4`!n! ze5*Zmp`fH-q4HLx`E(Mz{9@0A>q!G%3USghwY0~j?27k|TMKlY?NbIh#TEU(Aw5mp zvY0FJNd1d=I<{|liZA|N%@UERNM7W@)ym0;NQo*UAqsws#{nh`0p#Ov76FSNAO#yIWZqA834q3sC%>gZO4wc zqxCEEhAFW}3r(rx*gAmQeCc63-?K6Thud?^`|FR{V^IA4fir))%O6k>Iw2eA+&Ct(m)3Hf?V!96xC* z$zOuzck;8z2YS;3)7CHrGYe3Y6eGt0^mU;`D4%TB(1>WQhSSUR42WB-&q=9&m<@Dq;{58 zb*0fY*wp|s@zWV?l&CXk0dzGtg1&1E3cA&lRVMJ#xr_0eizV+VC0(i|t{+`cmKt`N zYI5rB{zks=DqD+1x%=%o=tW(_38v`c8t_R8H92{g{+eaNlJDy0tM94>y3#K-^gC5d z8w+l)2y*Uy&5MLPZ}vhhB$dVUeyiD~H$J%crm6$ldicyT9orkPe} zT%;yoxjAmQv+DPd^`~nUc?4~6;qe`#8c59sB`fevP+J~-kg2K|yXEC2VxK)PQ-g4A za+N~e?n3$=51~eGl_Pco;f}&IM%=l1+JRzeA3V^D^vpB{d!Gfub*Jm(tqjm^7#Kzs z-gRm{Kj!&I?eY)Hz?T?D0m2SQk@$LD@m~FVs;TkFn>4QNQ@gu6Z?+9d{k=8yf;?Jq zWQE){oqYv;Dullunm8Ue<}fMCmEO6;2>jRHv@f8y48%c!(GEB`w4$0$QS?C7x|l%f#{!+kJ@@l zIL7MoRW{lw6ZhN@Efn*DYA9qS>&7z7fS)g4dFRzkV&oRc&<|cJ5IL7{@^UTxYV7Hq zp@s-8p8H5*9=0^wY;j!UKhJs^%UXynu_Zmh za^}~yyr2(ba)3vEWr!k-qNB;^6)^h5>>2e6_2NX0X| zY?(iKuF)?2%*dFvV%~MtAVDFLSC|}1*D-6Ph0s}BE-V3%l<16QfG%JFJ*}A$qbTdw z)G*jZbak{6x;|(~mGa*smWXFgGa2I&Yx^*!4 zdLM#TBY|Q8;U(ID8^**<)wDL?)0YEs&n4QUNm(6-SK z>)E~T>^xq4Fq7d)N7yH{f1WwbcePuo!DlTD)s4;x_iKcaLoDtU_MA{JmAUs8AHYL$q6{m%R{ z6w`3$x(0Xq;MLi{`uLgS)tz~|{OtIG{;RD^*0VSIy_V&`(X02w;L`Dhus7Yd$^xL& zx8J=3IQ@FxEMDzt$0lmMdv|}f2yLsh>`oA$0i-~<*B)^Grso*6@+Y{aJ<#1&_V)rFZEUG#b69rXt3j(z zNj&UqUG<^*Yhu1v{1YBTrP%U7{t0@?{=Un;wt_OB>?PF`1>`BQ&9va<47Qa_mX&m- z^kEPcYmF}ON#o_J<`yVDu5tBHG4ujs+G#sm@!JW>D?lP7931Wrv;4k%* zAHF=dAJXf=Bioes>WRSBL%zpbLTA!I-pHo@FD>0dVEvTN+R65AS6(h=$+HK~m2a*` zFS1pbZzj7RJuiBplwl5HO&-LJ#N6>9e97zyuZ>JX3Fi`(a!-*vVntBF#Ih@_#(w>WQW_h z%qA<`X))eED|%}v&Qpmb`gmS>UDp2 z8U=l4Pmn3KuI+bK)}oQVRi4cr!lWcJT^KHhhyR_|CGp><4R4V&x`E+%*kRI1qCt4iiFa&VmT0B!A~_+ppfk$;o+dbF1l2`#C>W z=xTR#r?l-y$sUNX2tnnDsk5z(fam{8u2<7c+?Zv=vr_KCh4~ z;o4Y!V@%M3Jn(fU#gNyZC6KBOG@nRxgWM@HBYPYJcH)-z*?afwdH+T_CR_wRhG4dv z_PwCJ%-nArBwJ4yX0Xuz`qg(3@Lg~)eCt(C?B^H3;@1s1oM~@JW$gt^jRfO$o4X&- z4z#*lA-Ue>DH2}4A`mMtvFY2n*xTX===OWL^*Y?btIdh`V=1U7%>Y6Akyw9 zD@&CI=W44ah!)KY8!3ee7|SKvV>bNPKdYnzw3bl&J)%fp%#ztw7RuTxLu>HxK>X^< zW40k0F?+0q2%7%x=M~PpeKz><1D!CYIVN1Sa<}+xlfY^Mjzm*QGsSK3%{UzU?38d$ zK29I7YnBuzx;-5bCs}M9*ej-I>KV-I=O1nk4O%BKr6{beeKzLVYy6?nKCwfVpGnIn z_#~ukkv9epoCpK3j(^ zTk(w453k2pvm0)Sv$<}6(R`BL-^v?rRY6fISn~w z6Eg68xQ;@|?XmC$`QZgRP|nN%;pJqEbq*k1m?#Ld($rAXbhNUiUR=msDW>))T8Q&g z8RZiEdB;U3i*6oZBp{(_Pe-1p;OlMqW#XW?6%gL%oiU++KWEKUFR@cxqcbGls21W@ z44LFm%%xyoaL*^L2TwKCq=7X?@Opv-=Nkp~-1(&rM=DS=y|DbN?0k=ZnCr2U1KcTG zpj^=9y7i2DJL($S(;R+PT_+o&{WoYb&5JG%8)%yF^R~R*{T&ud9g%1xH%MG4P2zX7 z<%EZJcUQc=!G{y|lTBbC8J0+cEmlg@mxV(0`F>01pbj=EQcQZb+VL9{pW^UqN*UE{ z_2QqRQ+A=&yGx>nmTuLre-FRT%&x864|>(|U{-ifDmy4meQ^1&W9-t4;V40&zcOQ@ zsYADu^j(JU^m@1mE|5)O%-}j+w>AR#k^YU-ng&JM*j$gSj@Pa!6+Ho{PG4oYx->2J z=&G-?xu(c^AUr-tZ4O&a9g4K|^cpm*7emq*3=O+9m~D6D3j}N^Ohesq7{jnsFmdYX zRl}vVlkwJYI(Ir$SdIgPcR$-|U`I0vm>Ag#2^N1awG3A*A@TVvq(L(Cz5o7m4(X7G zG9tP0SC(u6t$a;Qkq5y~U`PG8kbqWf)3ZzEZCVy>&yW+%2Z2nm<^-%vgE$}c?L>3& zgo$$HFG3h3eoey)a3N|7LEiLmq#B5*+&Mo-CveoagGkt=i%{NObAXqBY1P5?5spMW zc`o-<$JHHDjd%*}K?NtR%o{4HC#z8L{H0o~|LnieA4SGT?891udjoj^J|98Tb9d%8 zQR#AI#Z(W-+KAcC1CPVnfnvV5y8>B%&7DN2QmpPXrURnh<(f8fXamA$i7d>sCy%ngbH_*I+P^EUpra8U_K;@f9-wK zvr`f`%bTb({zaSGD-MSAzAe0G^d^1_bQ{aHu*qL>fIcHqV%w5S(OXi4dlc@TdLuKb z<}w(Gvni9LM&nYOx|$;}rCh5Y>^*x25sDya!m7p3D0R1q z%fINR#v5ws_w`xxj<(N84!2JBdyh9NzOWR=Y6tl=UK`qL52>Zn?{zpK=2H3X7^n2g z!_6t%r<(QKKQ!>=e>BImRwKD0qA)otx9-d`4+<`NO@+?pRgPSA86uia@7B7ugFusRkIa0_GZ(p>Bp86VNqeVwD%N8YQ%pH+>fTxQ z>L+$R!DmQ4A{HX{`>WHQU#)YY=Mlhe80U^@T~0VVKzJp!<`_YE!|>l$spNtF_ar&pGVHbN&X z+CmYS8BD4xr`Aa+q#a*w_YjxhU^PhdFB*INjP{tI`5iPA=9{;M$@H>xfgw3%^N0Fh z9MkCLbS|D`cM9Xi_8D9GGFTfv=bx1kH)`$1Ss%D^6nboKm|rksT5OtRD#BTbe;oTI z2G(yp*q414UI;PADf2*wfr;Az9D?47*3AOM=;Yk=-u-iPaT#-?8rwD0 z_eglQA+mUI%bnFEaROc~KefP!YyUNX9q;J5X_xWmsiH~I6{0VH{e@eYown*!c2H<+ znlUOqKhq*Ce3wYf%}MxbFlf!5-REColeTQYfc)_zW1Z@;LdE`cDE9D}YHxk8`X0j9 z)82jja&PX6s?&^_y7y?rbV0o#RL\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \r\n \r\n a. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ExtraHop%20Reveal(x)/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -63,6 +63,7 @@ "text": "This solution installs the data connector for ingesting ExtraHop Reveal Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, + { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", @@ -100,6 +101,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "ExtraHop", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants." + } + } + ] } ] } diff --git a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json index 147e5af3af6..89f76ab95b3 100644 --- a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json +++ b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json @@ -38,52 +38,48 @@ } }, "variables": { + "_solutionName": "ExtraHop Reveal(x)", + "_solutionVersion": "3.0.0", "solutionId": "extrahop.extrahop_revealx_mss", "_solutionId": "[variables('solutionId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "uiConfigId1": "ExtraHopNetworks", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "ExtraHopNetworks", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "ExtraHopNetworksAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "ExtraHopNetworksAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "ExtraHopDetectionSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", - "_workbookContentId1": "[variables('workbookContentId1')]" + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "ExtraHop Reveal(x) data connector with template", - "displayName": "ExtraHop Reveal(x) template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExtraHop Reveal(x) data connector with template version 2.0.1", + "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -99,7 +95,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "ExtraHop Reveal(x)", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", "publisher": "ExtraHop Networks", "logo": "ExtraHopLogo.svg", "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", @@ -242,7 +238,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -265,12 +261,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -304,7 +311,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "ExtraHop Reveal(x)", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", "publisher": "ExtraHop Networks", "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", "graphQueries": [ @@ -430,33 +437,361 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('workbookTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "description": "ExtraHop Reveal(x) Workbook with template", - "displayName": "ExtraHop Reveal(x) workbook template" + "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] ExtraHop Reveal(x) via AMA (using Azure Functions)", + "publisher": "ExtraHop Networks", + "logo": "ExtraHopLogo.svg", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "metadata": { + "id": "3c3af19d-b178-44cd-a130-c48b366758c4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "ExtraHop Networks" + }, + "support": { + "name": "ExtraHop Networks", + "link": "https://www.extrahop.com/support/", + "tier": "developer" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] ExtraHop Reveal(x) via AMA (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Recommended] ExtraHop Reveal(x) via AMA (using Azure Functions)", + "publisher": "ExtraHop Networks", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExtraHopDetectionSummaryWorkbook Workbook with template version 2.0.1", + "description": "ExtraHopDetectionSummaryWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -502,21 +837,56 @@ "name": "ExtraHop", "tier": "partner", "link": "https://www.extrahop.com/support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CommonSecurityLog", + "kind": "DataType" + }, + { + "contentId": "ExtraHopNetworks", + "kind": "DataConnector" + }, + { + "contentId": "ExtraHopNetworksAma", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "ExtraHop Reveal(x)", + "publisherDisplayName": "ExtraHop", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The ExtraHop Reveal(x) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.

\n
    \n

  1. ExtraHop Reveal(x) via AMA - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ExtraHop Reveal(x) via Legacy Agent - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -540,6 +910,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/ExtraHop Reveal(x)/ReleaseNotes.md b/Solutions/ExtraHop Reveal(x)/ReleaseNotes.md new file mode 100644 index 00000000000..63be22aa8f5 --- /dev/null +++ b/Solutions/ExtraHop Reveal(x)/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 13-09-2023 | Addition of new ExtraHop Reveal(x) AMA **Data Connector** | | + + diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index f9d6b5bc141..0209e2a4d8a 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -764,7 +764,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "ExtraHopNetworks" + "ExtraHopNetworks", + "ExtraHopNetworksAma" ], "previewImagesFileNames": [ "ExtrahopWhite.png", From cd4f0512871bf9d2c279adb6c0ad1ef119089eb4 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Wed, 13 Sep 2023 15:28:57 +0530 Subject: [PATCH 2/4] update data file and zip --- .../Data/Solution_ExtraHop Reveal(x).json | 2 +- .../ExtraHop Reveal(x)/Package/3.0.0.zip | Bin 11270 -> 11270 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json b/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json index 1c175cd5068..81a5f253e77 100644 --- a/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json +++ b/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json @@ -5,7 +5,7 @@ "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Data Connectors": [ "Data Connectors/template_ExtraHopNetworks.json", - "Data Connectors/template_ExtraHopReveal(x)AMA.json", + "Data Connectors/template_ExtraHopReveal(x)AMA.json" ], "Workbooks": [ "Workbooks/ExtraHopDetectionSummary.json" diff --git a/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip b/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip index b27b18d2854e61716650a9a4cb17a9da723d0f58..53c1c0dc9594a150886d99502547518401e30f46 100644 GIT binary patch delta 43 vcmZpRXp7(p@MdNaVPIh3U?{KL$g`4zsl0OYc8-HeKzeeOwlj#@uk8*11NaS3 delta 43 ycmZpRXp7(p@MdNaVPIh3U^t(*k!K|b)8nMg+c^#@F`dtwT&3*{ Date: Wed, 13 Sep 2023 10:24:13 +0000 Subject: [PATCH 3/4] [skip ci] Github Bot Added package to Pull Request! --- .../Data/system_generated_metadata.json | 30 + .../ExtraHop Reveal(x)/Package/3.0.0.zip | Bin 11270 -> 6576 bytes .../Package/createUiDefinition.json | 27 +- .../Package/mainTemplate.json | 748 +----------------- 4 files changed, 35 insertions(+), 770 deletions(-) create mode 100644 Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json diff --git a/Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json b/Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json new file mode 100644 index 00000000000..12725d3ae24 --- /dev/null +++ b/Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json @@ -0,0 +1,30 @@ +{ + "Name": "ExtraHop Reveal(x)", + "Author": "ExtraHop", + "Logo": "", + "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\ExtraHop Reveal(x)", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "extrahop", + "offerId": "extrahop_revealx_mss", + "providers": [ + "ExtraHop" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Security - Cloud Security" + ] + }, + "firstPublishDate": "2022-05-19", + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + }, + "Data Connectors": "[\n \"Data Connectors/template_ExtraHopNetworks.json\",\n \"Data Connectors/template_ExtraHopReveal(x)AMA.json\"\n]", + "Workbooks": "[\n \"Workbooks/ExtraHopDetectionSummary.json\"\n]" +} diff --git a/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip b/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip index 53c1c0dc9594a150886d99502547518401e30f46..d91407caeac07a9aab2b530313f0718190424ebe 100644 GIT binary patch literal 6576 zcmZ{JRZtv&k}U)cPJ#z_g1ZKHcZT3Hzzh~7xZB|F7TgkKU~qQ`?(PJ4_iXO|y!ZCi zc7L4euCD&+sysmMi&0K*xAZef# z$N}UEa&%w=yErT>f0J0p^a=Wuq zSi;=N^R2i3=k8&I33z|jU=k*7V;S80PdQnlIUEE&z(Q?H5s$H;+2)=OW0r~}jvYZY zX?kbEtGHrZv!c4EaklZ^sEfHa4s+&y2PY7s`*tZsRiEtMv_cM~vDo=)pXH@=?vWyh zI6~2roY_o%wlX@p!E2|d*m})OeaayeYAOZ$qA_RRjX4p5fQc%)g=n2H&d&wvbfP|G zzoOyi9OpCC=d@*;U;RDgChtUm{)t$>>FWVMmr^?KRF=*$L9e?Rwb9oqC1#91L1#?C z{uT9CVgER(4D|Ydw7ku2S%zh{DlviH&IKgjP`9jK?;4VzO5Jbl{%oR~-1uAyM$fOO zpH2Q)Tl+7lwuuT`bgmcopr&3jG!UG;aW1rGE7&TTQP9T(z2HjJp&Qtm)_)!*JuYY7 zW?~L;B9-|4agWEP9CqTXB482vVHM4)Pd5GNt0hj;R6MK8ag(M8(VOCL2^zPJ#s2k( z%1!WG1_cfV^7BZHQMd z+xOJ1>SNZjMfYXPRp{`aTX(GzS4o)qYrNjj+0gO;E9)_XQDS8X8-Yt!6)%T{HOp1H zr3NTxoCw94Of}Gqo;$skF3nD%JjAiw8N*jZv-YvNQDZzL8$RkOuH#9 zlw8VLA^QO=UqtI!2pvktEYylhZC?g?3iKl)Jv1)UdcsiS^#2f22@4Bj;9&f*^K3<| z*h~4%>7ETg(Hu@%5Rax4PZl!~n2gKjt>&EqXV);=?BzVfa)&4xK`U+1=A3E1`ctDzG~w2vm}q61V>@W4kGC9PG30l3*4$5a zNkx)wJteEIQ;0Vyj-^2^;dmtwH6l4&cJ;3PqWG5Rr3qwYf{S+q} zZc`*lo4pSfi;3h~d0SWvXEeF=DiKCX&=}0NiNxz%a(WSY>)@CKvi+Sph>T2Qcic=x3Ydjr=+Vs0glY0-&Ve4?#M;Rqy zr#`9Bd2dDCw|&FnBb z;=!Ic>Wz`~_?4P;XpU)wc!sN;#bk!h076aM7<3-Rs6V%L9?<|q*J8p=67zYj@1k-F z$T>^;zSMnzqNw_7lWWPzH^IXRXb|<$2oW=qmc|#FTX6JX@n$& zEp@EP^#{-A=F6hdcX>{Ul~yNUgMlZgp-)%;U4Y3o6Y#^>4^of!iUpsQ18 zH%#f*!&k-vavAabZ}DJ!J>foY3cP`(rd5eui|{BAcwM15y#Vn1HYIwN*Y(Cn1mHo2 zSqo=UQ@>>}hb%!@clwKhHj5O)hCvh;r8D1@cDZ$DRF<+F%gd)n9T-$M0t(B|an28; zd94fMvw}>ibB07HeyQjxgHN*kzUsUgBUS5lA4cP5`14wn{xoesYop(3oG3MYokU^i z)+fQGzzdFTyaSd>X__79SAAH_jGVxWfTFDpj(4+i{VAb8=tupCvQ4v7B7~CW7gHpW z1jn(C9`vrg^Y4k`ehzqr*R#@t<*evhH;x$vpfU34Zb(8-pvLcvBMBpGcFLy};c{bA znjFIJs!_jWhE8oon>U>2=2WrIy5eOW)c%2nRHe>u<*b-JSF2GmCeZd#$;pP{zXshIHM0CUAedcq!ylwpj%Lwb`zSV0LT|ne~ z+gof9^TCUYC2VcOnWJtg?Vd`{{A-%wSRELeIg`kFFEt$Se0{#%7sY3t0@`)injM~o>=3>^knbk=R-gkPM_S^caA6!6$*k2d}!{X&CZjwM~Is3B9gJ&+C zza-pmNJoomH&NvUq-Sxode0$A(5yY!27k>I9i~B=ZIP z)gz2PBCyqS>l2v9uQ5%;X0_vykI(g!<0SX5$8=YwyBXYs=%I>Ik*mGy;p<_4IQ9RB z-lsKJuTXK};Oyk!;Qj%ey&1?s8)*N{?jOnjH?f}zgIrbwYB%=vHbD))uM9M5E%(2f zH|LsU+ZiTVYBpGxfbG*zsLdj5jiutYrpAN{xBhvL}tt}~)JIlkZ+3-9`)?Ge+ zlJxT5d<*J_-3Q$e$Ru167ADvc5Afu>5Y!bBO`D8lW4`j}`ugxJ5ubYtd#{gs;MK4w zrU{&7_v=fe^Sz*}B{_N{^qrR~z#ECxWRNVN-WFwfx34kYwUADvs32c@@J47UNq_ZMNvCt;}?mozbo@ZS@-b5olq-jYj! z^Bd$xOjRt(W4z4Ds}sG-2{X^}1Vy_nMDhCi@gdLvq#}6*SwRM#xb}jk(EjV7mlsu) ztsK^AE;JFi+qWN{jv(>}rhr!w+Fb_Oo)E%lsIDf^;UO_u6A=N5aepEl$#Jfyu-{zUJ&^_fN@Z@{y z!w*=u`mRx}8BrP8n>bV$dE`b1ODiSl7++b}I_ukg>#e5lzP2vRG8tw4x@Gu6s1P7Y zb$LE5D5z)yW0CyPdj`!;xX=GlD$>q0L|mqnUW3Y?TvssKvcRD$zbkc*A2+P4{w@WOeMZiXSNJm1c$NkD(}DLm$4d6I)fjU&0Xx~ z?|lcH&D3oyQ*B@*`s+|-l=k0HztNez8_cCh1Eh8!FW;i3h(~R(&kBj%+C)PiLc)n~ z(utOUP&ZN;0e6Hc+29`*tXy!uqg`Zfb@PziuLQX`<3cR1Wm~%#x+>#(fqFiR+Gw$$ zIm2+I#*@?Mln)k&!Ev=B?daWl*9qn+x)R12=9!_Xrx_>8Zou6=py_)lHA3mrMoX;p?#Es$>iJ6(>)TCYO6ps-t}qA=Xi|E+Ho_um ze0(Ha2w=|!Xrgy+xxHcaazZ=oGb{1qVu2i6a;GiL#Noqs3fX*EOHrg(+j0niqnIT1#3pVlcUI<$i+VY>o;_E_G=s}{T z3J*Umi6Ffifd|Nw=W@V+B=!I+cI?MW%-Cc+ap4m<=@B#8Ef&EO-o=Z_ZG8xvo*}y6 zL64?fP$gy+we7;5c^jG>D@kZ)?IyrM<@_3`R{j7y@2AT}A~q+M0C+5YGQ5+lK_qQq zGo@7I7KzQ*2a&f)2!l%k-tJbwE7AE|X=xGro)`DE_i%agxkN?*f9S|FOkF~KJ0sTU z&s$9j;=INf#51VswnGYdF%Y{f8|t2UJjgvJ?&+V`*Rg!Jrx^IX*RQjzy(ip$oQnE4 zG_vE^@kCLPwRv~6vGt@oP2o-vM@dfz!V*4Giggwy9B3Uc2g@lP{p=Q0*}K9qM-0!# zrxe&--Nb%mdM?J0po6a(QVPS{iIA^lWGpuEiu>vR=IV&zj}1QK*6kX$8~>y3`6OLP zt*V`A#Ea32*0I#FF(vA^J_UV-p_@Ba7g{^IPfux8{tP``DvAmkPI_hYQFFg*$s0(@ zd1aes@ZM2Pw&Ii9NV>dkuj;U#$o-<@t5;*o6FL2?N5?)5u)hzs+3)8{yh;nzprw`a>;q!7E>_PgP&@kE(kd%sD@22e_oaGTAgoDBf5rWf zRJq6TbHX=_t^5hU5ID>mQz5#vv^09lZfj0$X>cG3^W$}Xv^5Jw64Rv?TI{qnj-wnf z+YrKkqBVrRE_cCC74;5<^bS)#Su#C0SpzX4(_*sWOY_uJl12J#L@f!+EP%0Dh62N8 z8Th1jVRN_lK zRfqUjpDx;Mm|B09NK6d7Q%h`hS=Rxcq;WxT>A;|P&EOu0{D~)X$`B)SpT}T!O;Q6F z&S`|%pt)GQqcpS=2bGr@>GL-OPS)M!0UPmnG8U5v@sr8=_Fz_Jn}`shcHGJj*x426 zW~cf5W0p2lLgr6Q(IXEm*$h;DfjD+#kn5Vw-`eG8{AGx6mQVE94|Ord_}xYmyX3z3 zy@b%9GJAmWAP<5q4vX3Jq@2ZtJ_w?&wueoZ@*ry*K0rg~fJ5jb_Kg0)g8@?lVY0M1 zEIFXMB5WQ|(~nd1)dCnCZs>G>#pB!!Rr|&kY|rtn8i;V3i5ll181p&6y*987fE<-sp{%-<${Nff5 z4ndU}LcyZf(h9kaev+k6Gk37od&QhDUgC;o=aW{d!YbeEDbo^4e>~wQsJf1H!%szG zDEm^SiiJv0Pvi*{%B3?m^aq)IA1>==2=3w(O_i5BuV)~!so zi#|0U`C>!ey-;26O4;@`Lz&B;6b>RNZ6Wz^S#JeqO=Wy&psTm5AzsI2Va6j1(`nL5 zetbtaPWAA$i1)N%syu-JRhSoZ6}}n1y2JMF?gvqdyVQ?nc(1+ISJ1N^y zrZ-R?G4(ZU!>@+VR5MGH#KGfyWXik*y$EAZ-Q)5U3@(B97^RGL4@r@wgo>@Xy^_lM z!>(dFf6BOLo-n8+<#_7HY<6lTZka59_`6W!7ijisetyf#0+Jf3WSk&P$} zX0&ndmGTh$c*{@7bufFl<&uBXV?3+6ljD|8eywof?{;n4?_5`0I)D8mJM7n?l6Ti` zLY*34hVS<1OkfLuL9~*VZ6I29ej#RHX}lhfh`poSNo-92w1`%F3-5W{lENlXYnWk( zo$6@j^D~MHeN(`G3o|4PJ)>YVRN>$~YtnG}XJFIkz@}S2yy(;m8pn-}@EyWz$B0T{ z!CWDM;4fm?xymaL56_2z>5r)IbW3P8dMEU!C$Adw+yF4p<zKQLuwYHGYP87K+$t~g_f-ht<;{AS z#uLxsdib;sje`MP&!8Lx?A^lSw3%s{_08~96ttxey^{nqkadJ8=|D9-Bz3t%H65%u zY%zbo-zFfUc4y1j+lcr1)mq(hcaxADVGrS|O>q~(f9D0_^+ zp`&I4v8u5ZF{0Ebn(u5Mv<+8*68K7+Q-Y{I*Of-8?*9Ic6>~t=Tv{NEcq_0t(r9+1 zOMJaf@afx02|AvnrIrER_osbHRx0~^$NszVCB*Dhm<2Fs8T|}!vp0M2I$hC8%sDXm ziohroxkCP`Auaf|dieuP$P2pu8DQH?xl|x|*Xr;oAL6PV(lAn7P1;q`Hjea|uVYx+ zJ)cR4E^YriBV16}!FCaW!fcxNzR#JwG`E@O0jB#xl*;4#VmO{(grya^P? zSkFPM1nUhtcVYzGaAytyg}SU6Qh(yAn?|~?btVY)>Atey*T!_hCunEgMum`BLQvX< zW-R@}L(AE*WRGGXt`yv81;8gtiF<=9`_AX-+1XA9l!!8)vl#$-6M%kI0gxT>z+I@HUwiVF<{Q0QMXjT$9QO zmS0q_des|tJHygsT+2;i(xfD#_;N8Mst7~yPFARlCZn2}C_dsZ*<0=K8EZ5=@7yGr z2mYExX9h>NNEPf!mf?G)XO9(6CkTeDpox8p9q&P%pypUu6~a?+)+1E_YehQk0W37} z`${wV;s$Bz%|Idkg%^{FqJvAvY(={VuNriTxrXm^b;7IH==5tCKbA7o<5TKlSCX zPmZVUty%ZzI$>b956=5z!o9UkdFau$)S7J5gqojvXA#-wuZI!Pl;+_nY zcwfbim3JniKjrW-B+|~JXhOwqkz$H|>Fb_7UoWJlxYVjF5m(H$81OO2V(}VO)Tfai zn_e`0&l){)Xh^042&Ds1?*cKDBh4Eml6WJ>p_ zG9ST1Mw@6dIMfmeq{+SjIB3OCjXNNseZdwN+dO{nBg#ABpa^3!r~T-AHD72MRdUtD zQG3DqVq$-?6#13f68V9oyUS5hJn9&`1~z(KT`JN&))+D63(A~KvbNlVb7gEMbXIdo zJ<_Z|hb-$YEWcwnf8OK)6y)-A$?CO8Knkt9jC3<~^Z^z|Yn4G&96EpK4RF&LXTYV$ zWy4%S^&G;bg5jLREMh(r%9-r{WlTSZ2>Dh1QQme*IHjufB*FW|73tu|mtoQF;y>+AjT6x^6iux^W@W zhD#Ne6#`i&*qUug%N;38Gmn(GNTwc&T^?l^4#E6)i+UPgk)`=>R+SdyM(+CeI!})W zmW8_n>Nb_IS=@CAt_qI$u{U1u)s^7i;UWC*zQ{lABk%rY$Uh_?{!jH^r>Kj( literal 11270 zcmZ{~Q*2wrzB5+Z~%Hwv&!++es%Ko?zbZ|F33dP1VI-yH?e{ z*jLZ4^(X@%p)kR~z~I2Ve3-QQffYHPaA07(1Ylq||DBq-T9~+7XxRL;u(WZsakp`D zWVUs4a-7k=ay;t5`ZD@`CtAs53fq=f%A^aG&$LY`&@H-XFm3J?H1Z|}Xc>t>Z>6+Q zvc&&Aw|1g!ZX`o}ZB~m@#`ffdXS540A_1OGhwek6c?PRpF;6Tu(J+q*xq&V-fB}h; zUp%VuZ-)A}(%zBssrU>Sc3Pgn)z7Vs6J&; zc7^@g$FU!;uML~gk4I+Db?Dm&mLqbwr<`t8#te07yAy&YfTl$$)@;4;^kNKOr&jtu zd2Vg2_Q}AY&!fWYeCg(woSj|_EH8A+JL&k|^two7cd4kc$rmnQU0FY$Krrjz%K5Oj zCg2`oh>_R{t4jfzbMBQQ&e#jJbN5(YSI-mc05wWh0NA=O<#JWUaLC3G=0eCOGln6& z*eq2A&k%8MA+anzM2OJTJqEX$)3{;@+z1QVt?0Vn$CMhkIF=c#lB>hGks-BFwtzElCRw$;AF@HsYy- z`H%YDUDlR+RWg$25P6|9BYoWx-jNI-QjL-}6;ECVgWOJ){y?~p;rRzM`jL`0`5JQ2 zuhC4^LF<(C0q`&yN!K#wD5NFo13uSeW)htY#P)^LBAUe|u2(i>E6rkZL-h|T2-sV; z*bh$g@o@>*LFL&~9yiLV7FE8}1ddW0W^!1TQgJME=}@Uc~KM;7#2{SW=13kj&wA2`0 zT(P4zS82>t_cPWWW*D-X2PMGHT?gsk8K<8?KvG}VK^=!hrphDmYk_q)p}@h~-D;lD z2H-h7cIBf7?#FgcjJQBjvek%kMxBd;&UYH8`KhN{qbI8g)o0jHS`40ZxxnoWMgxN) z#;tNg?Yy^w%Zdtt-y;4T(=kp^#+EU&?w|R3F%*|JfsvWuOPVl7ro&s17k3vbyewiG z;RXt!T;Uvmb!u<~B}a1&lo^sAQwU1!9EXwODJAf4+%H1CbFdt@7>e%x7A=%l`r;Mh z6ABpu^=wtQ%*E#7@HgUvh5#k80HhWn+tEyMw6`y7T1-XNxC zxCH9BiH|yX0bQt6$$hSk@8=7++B>hqG*dl%G*r8vI86?+m*^|Oo_p%3wYsBLv9KB| zp88Fo5}OLVm#B=G@k34ih8bX*v(QtWSj868IfzRjpMRP-G|-Jz#8K=MrzIqE5X(T_ zz-?YGis+9uMBh&G)Crzh?^qY?lJ=JTE+vC)D>2Cz4H{i$^AN){Ljz zp?fa=0}q7-mR@ZMWluC-h4wycvqaN}0VG_^b-4EzW{+K>M&I;WBjIPe*Ug~?+vjg( zc6hj$ZzZgYm5KyE((Xu+<1<52LeI=*elk3i4yX#76aa!=cHJpqcHKizhi3o zE;8eJ*4W5hf9mDRGlhAi$gw3 z=|bz@klW4P`n=v*pU>?MEwGpwu9R-xNs6*eY_U9e%sLeL0P!gQZ>XXd=x&fg4hB|? z3=W3&AF4Q**f^?NI5^w?2Q2>|q}&MIxNb?Md^gzcnJ9MZ%Ibt*((!$z-L<6TSDFe4 z1EQ~H)#*rC$(vxnVZf+35*nV_ZohVb+a=ej`Y--qkj5}1m=;sq$vZzGEPZ`_-|c+6 zr0>4}DTUd80IucFmv_BIxv6E@V@dw`ekgd^!aipy+9bK(?46Pr zR(Nwd!5$YaNoDL&VqB5e^$@E^9-AYkWJLBD+AJE3{2F@BnpKhdzO}H|^CDd6CDq72 zX!gA~+L~~dA~KL9{BdK|Q!Bx>e28Aba3CgsA{Rc7+b|41dwlsOX+e+-yo}jH7Cj}K zXnZ80Tr;HyntTNQ?I{~~gg-mXZLjrr&6Aexr?GTBhIqSCcUVvP2;yPbCbKxzpRg38 zhM{u@K_HQ>EN2jv7RFrm4;E_X_#Oc6135xP?Hdp>#dAH$J7{0TKM9}#vk})PDc(lC zMqtc`>umRkMa1z82Y;r54oFD0!@!s#XOpZKeI9(1H9u%oBKoiarn=0mmVfkh_6BH* zylkg2SX!R8NvQ=gjZ=V=P9E>;@KVDD->{(1MVm0${QToK7d^z=BQpUHmyDxKlF3v4 z$6u2#T?M!AMi0)nlZr8>Nhc;p;UzqelD*_-BPXQfHOtKeP+C}{>`UKu7*V(ZIsWt< zbBo^Ao=44eUYwiP^Dlv>sHC3mZ8Xg$j>(!}{7 zK5?fn<{mMJHDU@32fsQgU5VbBlHVWh*U9jC($)2*2|a(61bz-)WG3k^Z%$Fye)L1% zYe&hA#9TT7ub`ZTDA}?b5{bmWl+k`wNMpG~#d6N?;6FPgFllL)v!xB2WyFpf#aSmy z?a1>wz0JS=*Ks_3bD8tCm*8-u*LlnSbjnq1L%) z#G_Cp`U+DE1vw8md*Z~sZc7=d?iH@vIU}R!8S@1MqTVd6mOQvOP{Wk=!<0k^SUs%_ z64mv2)1)xYjXE*SuM_UFukQY5l88Xa4JyV2e&Nqxg)nI{VyO&#(YqEMWjpQB(z8qnK*54hB=X@*!z736w&e4=J+Pi(SV6IoECl7;js@VEu}ZtmD&R z-wRPix*jX@YI&?YtY60^t|Sj6YR)-M_-v_jppORnwKcqa+fLw^N$yx`fHnF2woekro**td?o@xPnjWm+*Ql`beu z|F!3kO4#U?0wFB|Pvu1(gN8b@K%rov>4tG)5La^%%!!-i%}}tY6OM~cN*W>m!F`%zG5ZH-w>E0@Dfy=FgK(?Re|S^@Q(y1iZZ93D6tLa zx{_#A@gQ>rT=IfAaRJvO6c_TC>Oa}zvbn zO}#Vc*{lrMpP8uwSt1PS8>zur7DsenxrQdkV~3~y!+h@<75YH@(EH}W5YXA zl;z-EuJIyK8P~a#3FdPYz5-C>YnLb=7F?->aa*CjGF?WNSepX+s0SP{CC=Vmbc_li zYC4&;qo43M*d)Vn)?IK3BbMl{(MPU>+am@^$WQ&Csz;0Z2XF`QKp^w11dgx-f_F6G zbHl=mXq+u$;&ZM_t;QtSJ|$7zYRm5}1WREg^`xLA-Z*r2-6S<9xomL>E)()Z@K#MX z_mfi;^YO9_fxCV0rNtjsUSxRm`@ZwXM;q&A)3X2I00+6;aH|0A~|3Kn?;3CjyA^LL1x1tZSMrN z-5*ik=ee$j!kthG{^wgR{{Ah6Oq8+`kTQ-A-)fwGAlUhHblj2obK0Y+&oj=1K`zdg zxSrRWXbdTLBZDWL$BQVbP{kc{#SWV9#W*ZrB#OId5$r^@&r0J{60jKY6;Mp);P!__=2Fz;?UX}>_H?qwBPa&m=zw^vp3iy zb@W*E>BvAK8tLC1-=#=ag%+nAE2kDRX%8JC!Alt@gen#t4BnKY!O^1|0Ra9ES(7U%+VHwxo_!GtQ8qVB_z1-q?imYms+Yi z%QD(GU@2ZT9>rM-)e7BOvW z&1)5mEv_7CeabUcSqD_8^J^w4zaIIKrNFRuBr8!f#I3#d0%{i)o6xK+_%*mIm0H;Kt91u{USNy zndeMQIgsrsPVFflh~n>bS%lbR(XGaEKakoMT-P=@1Ez&EjP@I}xd;qr8r&YXo=xP! z;Mbc>rA~A^Q-lQFY+Fw(fbpeY!I)Cj7)e1Jwr+wv?DAZo(#(?JMwBTHdu8dZ=9g< zp>LSMZ=ENV^P7SK<+L24pIk>&tXB`LHHASgRJ@dB=3+#05t^0lnHJXl8Z4R^fz;$z z(FQz0xUIwbZb`FbsRS;*^2>0i9vPZOL>=@E>`!(!McfYM2YPaJ+Mb?exynWk ze4#TKXwM?S-TXzWemRROxi!={f^$@Dj9_wmMP2IKETpFHaZg4qnv*~M z1`>(Gp`S%0V$$Fm@zh)$p1!+G{;#7LILrF+sfpoQ?0XLSQh+dZYMpQ+AE62f-q(uY zJPUPmVMP`qXKifrw2(D>IA=^_FhIV3jFW6tX`~3}%oGma!wQl7vwNcNG9kG15iQ5k z#dUI9u-xsnpNS5+m+so#W_ikjaa2eYs6}`%7i0+s$ITS~9e4)mv-hnGIHs2zE96{u z#hu0Wp7PUuOwo@hI=NUV&CS|D5x z9{Z7*7jGYe6w%OG8cNq9L+KJpqY9pO9Zm_LEfiG@S0iTiaC;OHhcN%=PWRGgr-`c&@VKrWW1%%gCFCEYuLjT2T zx!LHA@&_x(1c`Ou^^Vlj@a^bl)`DZEph-mm(jDc)m|5e_`s8Z6**VruuOriI5K5uwg?D;`Eu-HV_Re|4rhfor+ajA6 z3mtK z@-f33C!2A9R))BjKBJe=3zLs+I*){gl+hSLdE`|%pi#m&lvBw#-x%@4B|AyRBwQH+ zQDg=?f-L`y74E6ym&OljI!hvSn_6{l3t41tOp5)`#KWCNvHGJe^;?~sF0PdVHv+Hn zbcR$nvuc7hA4=rjWQ2kSH*tExBua#{EGTyP;o~v?q#;rZp3*4jF7kBsI!`g(Zjv=u zvVrms@-^zz_uR!8zNPvdM~AU&o?sIqOF6Y(HJM~ty;<=+H*5*&6{iA=qKR>;+!;&? z$*HB0ykAwvL=QQZ&@{yF_yhVF1qf~bAw13}sGjR`uh;74hOge@#mkG)>TcKirTgx7 zxAW{eyS&*Y+v4ykwllpmf_;i9Q_0GHMoF|fO%>sX$AI8~S-vM@`ik@#No%@WjBWzf zoYlD|GhbGAqCbmwYyc&yp@Bi!Xo?_JI_h@Kv1B0gen|U?*_al==~544FMSU!dezV5 zt5UmieWM(w*y-DrsTfxS$vgiQB$An4w>W!cRtG&D=bgjh67O_SA)f zl7fZGTb1V1N$~QEJr}Mg4R|TUNz2sI9+$E!-ZyS7&~dg;8RQgK^#6wRG;zyfuEZnt zFXHLgzU3*t_~6(DRIIhp>Qq5CR+YQWD|0%87XmyIN1 zF)(l8#z0PLa9VZkKJcn;VTs_sueio;N=F^RZ=vSIe5_;u5bL4t&GNS$JKm1gugn{! z#2zg)rH*6k0B-Z8hwYH_nmB*z!?);E#q{b<986rCTFbcB^fW>jHF=rzm`$1E-yfzy zPpuMld`?XKwnn{g^=w=5Gah~%`9NA37X%@ z&n6$}O%F_4!xYRcKuuDN90$3dbYSr=$|vR%-o@%{fO}qt2)Py>tjjus09k_>;9-;6Sz6VVM%Q3h z1IWZrXS7kG&Y%U*)!YdBt}!U+R#R4)z)R;Y#&0f`yr-0Osg}5YbU|5a*lDWCski$Z z`NFGgEf(eOx96Z2bqyz&qKj+5CneP6tl3IS_L+p*ND}CXw@{93MfgZMS|Q%P3kTc8(F(L_ilj9W=4X#WWrSg#B9!5 z#gRV6%IF*COB3qD1smXOrS{IOL83ckc8o5=D*bRg`3ey;I=jLe#ilu$vhF@_3x>s#v^aixVBI2?(V$VHYD};*3=8~Xu**ca@TbB z74)eP{(g}6x8VDYH$vqqwlq8A`fu@+$@M8s`0DDyu0iX2(hb1D-!jFf01AK-{+h0@ zV7dOO1gxE8Tw;TRjD_6{^g-!XGtLfo4V&yI{FxwM{99k-Z&C)Le?~rP>nY(FtIJo} zXs1lvb3?RH%nPcakd>?(%P<3ezI^4KS2Kx`TOdO}c&R|-T*ArAwe+j8r+0=LBD8q! zBZ+y~(rmNEagF~x>uD@&F~UJ>i{)W0l_#T;I<)ds5f1h%&fc#qC~U@-^aRV9U)S=2 zK8(o$9{H6aiZF_fCZkut=o7PN)GO4B6E&uF1(chmG22rt!>dDDKV z(N?W&3yE`VS3_~ z(sjnMH(`@<=)7m;Gl( z6TRwYV-TDBqg^7POY26)BD*U;x}p%Ud!bO4Pp?x^qrkty`qK@S#}D6`QMj&W_qwz5 zc=5qZh9@0ipV0n!<}}~cZlwmFwJ=mSIw#z(5k?NN(06pCa15{JWE{6*f_NBQ^m%!p z^4dsf^t!g95$Bz_vbwuWLs%+Jz5)-16QAVo-tEtAOuN>=VlnZ0|4l;F+B?^?#OShB zuTDhVtL|;5H-p>IhEHZM32Zi-powU9$wWl4MsP*pM@ulI)@dYBZt~0^w$Z<$C1R-7vqJ;<;jR#om;tLhZSA z=i6VVGs-l1lgwNAO8llLH5DjLHNPeA<^UK6VW3>pPBH}o#J}u$YJYmLD`_!l-rz4 ze=6Y@#J3nKpf((2-F41e^Zbc7oXT>3p;q){(exmLQp}Tqrlu+wJ57T00vEFTpTHO6 z3r>X^zk>I{aj)5a?3qA2NZ%o%lsx%vcPKaU4n?!ss#kEp7+lh&$HP@Brd4e{oQF4^qoCH zrqsH&-&I+QM*3EHHhTz@lE`#nxEvn-cV3sof1ftIMbhX7hT~y}k>j38vkd#YhgA^- z=aJd`eIb#P8xF>Wd$2>``Um~e)K@{dPBK1rc&L%V7CQHL2V=13F|SRl@Rerk)+qNL zFrR^FT`{|f{ckKMrHSA`%$Yb$2(38_BAAl=ox5$ndJiWj=e^CXraSHD{8*u@-O-)i z?rtxyyPcixIWSIqD#?6{u)HG`&uL-S@9Y2*9pv#}flyz}AnMarSP}ZXLau~sWBH9S zK@0N0*O?SUUVoNAsy5JkBGC2kRg7z|V zzj2UkJzT-qT zdYh+6c>Rh%th~ggZ|7ofizA@h@8#C(a0{c!NUXbt1pk)hG@j> zu@)j|`n#W3IP><|;KvVi!kFfmaMjA);}abU>VBv2kFpn4YO;Ft49~xH&Xvoxqf$u(tNum}jr?herFv4q1LCEuY|%kg`SI z7(8$yR8%qHUCNImK;y=T;LI%yY*oc4(DiojeR}592hyS zM6=6#KY#-jc{M@cC(Edw{`$dr_y_5teGt}Py)4tmC2KL(t_6McZ0Vu0WA>bok(3k}ksyo=|e(Bta@pueNtf<6n&O&MTFRP!5?No`coF3Zg z@b}TBWKqMF^xmK_at7JWOIUxS0_1@vbMt5IFvnMjAS@5zi(i+b_jKhnL-2@;%d6xeg;mpUA&K+W{R@~^V?$4U-xr*MICL6_^+ zGwSWAYiv(*_*HeCY>4*Xpvg2Zx;$*4X~NIj@^<%kSS)o!qLJJnaiKJc-_e#69@^bq z@%jcIPSj5}fq`ULA`P}!DN$b*3f1TPEuDip*rZ4?>Dg+>Z%}-S!>=i2RJYZOe~M1o zg<9_}i5^YX z8NSo&;Uc&|Hia>R>v-MT2;@ilH%@CB6lr5~J+eApyQWn11fV*7mF4QvwAiDozRu>F zBI|+h_#Cx4Y&CT#($>>!(6C+%NnRT(N}2=d+Lo$;|iu`_DO~LmtYARB`QGjdWc@XF5}iu1y3d#ni1MQlA^c;{hQcoN`|d$v26foFQelsA z8>~jeflJ>wErkjo!A7(`Ned>BgVR#U;8CSi-zBA~oEs|zn}z<5jRilQ!LIK@o|y$u z+Oc|59L^XKjZhLQ+)?UKk`#aKWch;mkSPAO_f5}EN!%=N zqR#jiZECML7}EQ;@Sf3|_$|>WfXf}jbj7C)oZ-6k&oqMI6T zsHNZ6XU#j>J|j8YI@#|%-l+J(QW&cpb&1_t`IQ{D|BrsV~JMt z636Uw6dRA5kZ6OvaYX4zl*Mmbgu|2k-@lMx0Ny6;o#Lrjk4;Q5<+Q1LXW6Tt*!2XT zA@zt@h}iG1PJ4c}&V`m|)VAXs87;5!+x|>%VecGmFX#Yp`!ethCa_^nBh+_YdZ@BX zG$-)=_EN#KvZs%sFlHak9vm8i_O|v2z}DV3xO}W@wEZSkN+6zISti;Dov>&NMPOzy zsji$_C#8^fe7W62T!MquAkDvM?C~?&V}j;)&`_9f-Wn#;%hCmgVI)eqnp#Y zc#_>Ij2qi$Y~{;fZTOsjRz}>YwHs%B;L1_xvAJP>!Hj9KX_Bc3XC?k|?3Wl=zwuyS z_E~r##2ly0104n?ZU=A(dM8>p3lO7|bJKhG&&|bU%#CVrufs4z{8g63KC^KOGNv@q zk|9;Vyg3VVQM)Y<=1PneMDce}5K>phe9e{31Psc*PFuRGX|P16oSkXwEQ-;T>Ekb| z3%_tEQ-_Wzr)Gh3Q$@2}Ia_jkv2INePAn^T6_r4;IH2b8OSey=)w%Lc-1fzhH+`#eFH|6~<5*Jb>vOI${S4dYQc@`rt3J9$4HX;n{}B z;=wId*8q0Bqvxhw#-FE(CPi0>zWntUZee!Xs#DoPp|NSksQCO$ zi?HxrA~827;j6)*HG6iSe~C@nvH=6~$B&G4s>ccy`_rM=!(*zw^}*_U2wzWo_wmcU zxhtwpGiLUB#jrWo|9)lOnWAF|Of`VzrCt&du-U-K?jI0cMqzKU=BflF?+4pd50VMg z^k~P4cwCwu=$b}KvoL3vn_vWjximeyZ%W@#-=H9605}9D*#FzM{m)_n0|z7hpYY%M sf4H~*XOaKYgZZDQ|9_F1|3u#Z%ZgD3K*Rjc6^Q?K*niQU;eWFK1w<^!82|tP diff --git a/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json b/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json index 19d33723838..d3ec5116407 100644 --- a/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json +++ b/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ExtraHop%20Reveal(x)/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,31 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the data connector for ingesting ExtraHop Reveal Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json index 89f76ab95b3..1079d152db5 100644 --- a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json +++ b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json @@ -38,28 +38,10 @@ } }, "variables": { - "_solutionName": "ExtraHop Reveal(x)", - "_solutionVersion": "3.0.0", "solutionId": "extrahop.extrahop_revealx_mss", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "ExtraHopNetworks", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "ExtraHopNetworks", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "ExtraHopNetworksAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "ExtraHopNetworksAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "_solutionName": "ExtraHop Reveal(x)", + "_solutionVersion": "3.0.0", "workbookVersion1": "1.0.0", "workbookContentId1": "ExtraHopDetectionSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -70,718 +52,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", - "publisher": "ExtraHop Networks", - "logo": "ExtraHopLogo.svg", - "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ExtraHop Networks", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" - }, - { - "description": "All detections, de-duplicated", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (‘ExtraHop’)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "ExtraHop", - "description": "ExtraHop Discover or Command appliance with firmware version 7.8 or later with a user account that has Unlimited (administrator) privileges." - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.", - "title": "2. Forward ExtraHop Networks logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "3c3af19d-b178-44cd-a130-c48b366758c4", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "ExtraHop Networks" - }, - "support": { - "name": "ExtraHop Networks", - "link": "https://www.extrahop.com/support/", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "ExtraHop Reveal(x)", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "ExtraHop" - }, - "support": { - "name": "ExtraHop", - "tier": "partner", - "link": "https://www.extrahop.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "ExtraHop Reveal(x)", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "ExtraHop" - }, - "support": { - "name": "ExtraHop", - "tier": "partner", - "link": "https://www.extrahop.com/support/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", - "publisher": "ExtraHop Networks", - "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ExtraHop Networks", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (‘ExtraHop’)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" - }, - { - "description": "All detections, de-duplicated", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "ExtraHop", - "description": "ExtraHop Discover or Command appliance with firmware version 7.8 or later with a user account that has Unlimited (administrator) privileges." - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.", - "title": "2. Forward ExtraHop Networks logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Recommended] ExtraHop Reveal(x) via AMA (using Azure Functions)", - "publisher": "ExtraHop Networks", - "logo": "ExtraHopLogo.svg", - "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ExtraHop Networks", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" - }, - { - "description": "All detections, de-duplicated", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (‘ExtraHop’)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - - }, - { - "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", - "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." - - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "3c3af19d-b178-44cd-a130-c48b366758c4", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "ExtraHop Networks" - }, - "support": { - "name": "ExtraHop Networks", - "link": "https://www.extrahop.com/support/", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "ExtraHop Reveal(x)", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "ExtraHop" - }, - "support": { - "name": "ExtraHop", - "tier": "partner", - "link": "https://www.extrahop.com/support/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Recommended] ExtraHop Reveal(x) via AMA (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "ExtraHop Reveal(x)", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "ExtraHop" - }, - "support": { - "name": "ExtraHop", - "tier": "partner", - "link": "https://www.extrahop.com/support/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Recommended] ExtraHop Reveal(x) via AMA (using Azure Functions)", - "publisher": "ExtraHop Networks", - "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ExtraHop Networks", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (‘ExtraHop’)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" - }, - { - "description": "All detections, de-duplicated", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - - }, - { - "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", - "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." - - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -809,7 +79,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## ExtraHop Detections\\n---\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2b036d8d-8429-40a5-a5f4-8f7473738749\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"query_times\",\"label\":\"Time Interval\",\"type\":4,\"description\":\"Time range for detection Start Times\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend detectionID = DeviceCustomNumber1\\n| extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n| summarize arg_min(todatetime(ReceiptTime), *) by detectionID\\n| summarize count(detectionID) by Activity, bin(make_datetime(ReceiptTime), 1h)\\n\",\"size\":0,\"title\":\"Detections by Recently Updated\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_detectionID\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"detections_by_time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let category_map = dynamic(\\n{\\n \\\"sec.action\\\" : \\\"Actions on Objective\\\",\\n \\\"sec.caution\\\": \\\"Caution\\\",\\n \\\"sec.command\\\": \\\"Command and Control\\\",\\n \\\"sec.exploit\\\": \\\"Exploitation\\\",\\n \\\"sec.lateral\\\": \\\"Lateral Movement\\\",\\n \\\"sec.recon\\\": \\\"Reconnaissance\\\"\\n }\\n);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend categories = iif(DeviceCustomString2 != \\\"\\\", split(DeviceCustomString2, \\\",\\\"),dynamic(null))\\n| extend detectionID = DeviceCustomNumber1\\n| project detectionID, updateTime=todatetime(ReceiptTime), categories\\n| summarize arg_max(updateTime, *) by detectionID\\n| sort by detectionID desc \\n| where isnotnull(categories)\\n| mv-expand cat=categories to typeof(string)\\n| extend cat = coalesce(column_ifexists(\\\"DeviceEventCategory\\\",\\\"\\\"),cat) \\n| summarize count() by cat\\n| project Category=tostring(category_map[cat]), Count=count_\\n| where Category != \\\"\\\"\",\"size\":0,\"title\":\"Detections by Category\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"total-detections-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExtraHopDetections = materialize(CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend detectionID = DeviceCustomNumber1\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | project SourceIP, DestinationIP, detectionID, StartTime\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | sort by detectionID desc);\\nlet t1 = ExtraHopDetections | where SourceIP != \\\"\\\" | summarize dcount=dcount(detectionID) by SourceIP | project IPAddress=SourceIP, dcount;\\nlet t2 = ExtraHopDetections | where DestinationIP != \\\"\\\" | summarize dcount=dcount(detectionID) by DestinationIP | project IPAddress=DestinationIP, dcount;\\nt1 | union t2 | summarize Count=sum(dcount) by [\\\"IP Address\\\"]=IPAddress | top 10 by Count desc\",\"size\":0,\"title\":\"Top Participants\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"top-participants\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | extend detectionID = DeviceCustomNumber1\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | summarize Count=count() by Activity\\n | sort by Count desc, Activity asc\\n | project-rename [\\\"Detection Title\\\"]=Activity\",\"size\":0,\"title\":\"Top Detections by Title\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"detections-by-title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1),\\n DeviceCustomNumber2 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber2\\\", long(null)),DeviceCustomNumber2)\\n| summarize arg_max(ReceiptTime, *) by DeviceCustomNumber1 // detection ID\\n| sort by DeviceCustomNumber2 // risk score\\n| project [\\\"Risk Score\\\"] = DeviceCustomNumber2,\\nTitle=Activity, \\nSourceIP,\\nDestinationIP,\\n[\\\"Last Updated\\\"]=format_datetime(make_datetime(ReceiptTime), 'M/d/yyyy HH:mm:ss'),\\nID=DeviceCustomNumber1,\\nURI=DeviceCustomString1\\n| take 10\\n\",\"size\":0,\"title\":\"Top Ten Detections by Highest Risk Score\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"top-ten-by-risk\"}],\"fromTemplateId\":\"sentinel-ExtraHop\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## ExtraHop Detections\\n---\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2b036d8d-8429-40a5-a5f4-8f7473738749\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"query_times\",\"label\":\"Time Interval\",\"type\":4,\"description\":\"Time range for detection Start Times\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend detectionID = DeviceCustomNumber1\\n| extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n| summarize arg_min(todatetime(ReceiptTime), *) by detectionID\\n| summarize count(detectionID) by Activity, bin(make_datetime(ReceiptTime), 1h)\\n\",\"size\":0,\"title\":\"Detections by Recently Updated\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_detectionID\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"detections_by_time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let category_map = dynamic(\\n{\\n \\\"sec.action\\\" : \\\"Actions on Objective\\\",\\n \\\"sec.caution\\\": \\\"Caution\\\",\\n \\\"sec.command\\\": \\\"Command and Control\\\",\\n \\\"sec.exploit\\\": \\\"Exploitation\\\",\\n \\\"sec.lateral\\\": \\\"Lateral Movement\\\",\\n \\\"sec.recon\\\": \\\"Reconnaissance\\\"\\n }\\n);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend categories = iif(DeviceCustomString2 != \\\"\\\", split(DeviceCustomString2, \\\",\\\"),dynamic(null))\\n| extend detectionID = DeviceCustomNumber1\\n| project detectionID, updateTime=todatetime(ReceiptTime), categories\\n| summarize arg_max(updateTime, *) by detectionID\\n| sort by detectionID desc \\n| where isnotnull(categories)\\n| mv-expand cat=categories to typeof(string)\\n| extend cat = coalesce(column_ifexists(\\\"DeviceEventCategory\\\",\\\"\\\"),cat) \\n| summarize count() by cat\\n| project Category=tostring(category_map[cat]), Count=count_\\n| where Category != \\\"\\\"\",\"size\":0,\"title\":\"Detections by Category\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"total-detections-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExtraHopDetections = materialize(CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend detectionID = DeviceCustomNumber1\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | project SourceIP, DestinationIP, detectionID, StartTime\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | sort by detectionID desc);\\nlet t1 = ExtraHopDetections | where SourceIP != \\\"\\\" | summarize dcount=dcount(detectionID) by SourceIP | project IPAddress=SourceIP, dcount;\\nlet t2 = ExtraHopDetections | where DestinationIP != \\\"\\\" | summarize dcount=dcount(detectionID) by DestinationIP | project IPAddress=DestinationIP, dcount;\\nt1 | union t2 | summarize Count=sum(dcount) by [\\\"IP Address\\\"]=IPAddress | top 10 by Count desc\",\"size\":0,\"title\":\"Top Participants\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"top-participants\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | extend detectionID = DeviceCustomNumber1\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | summarize Count=count() by Activity\\n | sort by Count desc, Activity asc\\n | project-rename [\\\"Detection Title\\\"]=Activity\",\"size\":0,\"title\":\"Top Detections by Title\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"detections-by-title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1),\\n DeviceCustomNumber2 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber2\\\", long(null)),DeviceCustomNumber2)\\n| summarize arg_max(ReceiptTime, *) by DeviceCustomNumber1 // detection ID\\n| sort by DeviceCustomNumber2 // risk score\\n| project [\\\"Risk Score\\\"] = DeviceCustomNumber2,\\nTitle=Activity, \\nSourceIP,\\nDestinationIP,\\n[\\\"Last Updated\\\"]=format_datetime(make_datetime(ReceiptTime), 'M/d/yyyy HH:mm:ss'),\\nID=DeviceCustomNumber1,\\nURI=DeviceCustomString1\\n| take 10\\n\",\"size\":0,\"title\":\"Top Ten Detections by Highest Risk Score\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"top-ten-by-risk\"}],\"fromTemplateId\":\"sentinel-ExtraHop\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -882,7 +152,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "ExtraHop Reveal(x)", "publisherDisplayName": "ExtraHop", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The ExtraHop Reveal(x) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.

\n
    \n

  1. ExtraHop Reveal(x) via AMA - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ExtraHop Reveal(x) via Legacy Agent - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The ExtraHop Reveal(x) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.

\n
    \n

  1. ExtraHop Reveal(x) via AMA - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ExtraHop Reveal(x) via Legacy Agent - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -905,16 +175,6 @@ "dependencies": { "operator": "AND", "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", From 2c6bede39bfe4f17d5afa8f335e32deee2fbcfb2 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Thu, 14 Sep 2023 11:06:09 +0530 Subject: [PATCH 4/4] update zip 3.0.0 --- .../ExtraHop Reveal(x)/Package/3.0.0.zip | Bin 6576 -> 11067 bytes .../Package/mainTemplate.json | 748 +++++++++++++++++- 2 files changed, 744 insertions(+), 4 deletions(-) diff --git a/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip b/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip index d91407caeac07a9aab2b530313f0718190424ebe..34fe4d186162c354c01f0d05a4242196aa656dba 100644 GIT binary patch literal 11067 zcmZ{~Wl$VU@a~HfJh;2NyCpa*?(UG_L4q!B!QI{6-2*J{8enmk#of>QzqjhvtvcsS zf9RU7p04@yJTp~4RRAm;4ipsB7brq)Hl3cYf9~24p`d*6prG*ot6I2NnYmeM*+^Mg z+c?^|**H0}*}6J8_UPI4M)q6JaVv0vVp&sX%~q<}>U);h8^NGAP7fB$RyTs$kvS-ZL?!MoJ>cWQU= z+R)~onr$W^|3+04_?+tdV+LDKmO@bylY6n5A>j!b-hwh;FzT{daEq~J;kF$uOL5tN zw?vQGk%J5_2 zj8>JmPD{Cc57m=R3i35nu{;s-(-*y%WT)}5SqJH_^+Zq=V)&xDxP*hjjc)z8cX9t4 z%*8$9KrOEVJRGZr0);zmJEN{L!JeH_NA7xDuXS58zRx7%F7AO*4CTr*(X!Q0A*UNz z)KvBnP{DXDc<77B_Y;6UJqcMS1x8LAnUJ83$lERV{zH7cj}yPu zL01-liCOmC5i6%{^?@hkfh|Jc=drawPQPvnlXrzJ$vF&WS&F2zpqdsYMNDRz*8Ux8 zhOH{u*N@MFUD@Q#7r}uML)9-~Afr}uz^wo%Xpb}8lv9^jOsI>$#%YjJ!naM(aM|Ni z>nscWgK((VjHS6G0Lv3EnJhb-B{H2@smWE_^Nk(Ic(zoaYw&kwkPnlgVq6SEQf-pi z=Zg%~uUtSSzWEv`45oAWWm7$1`WWJ#Ou4tqcM4;y%KT&8&&q<$;heNBzJISajz%aK zp~-lrd8u=Y$LAa;%@nG6c(PZ+W#4vU(tP{Tj;8y>AR>usIe&md3vk^YG$&EpJ|%M$#REz{>I+la#Q9SDQ0{65_(N1 z*q62AN|KW}xW%psk9i%=bs>#=!j@0I&*tdICSAms4^?dn(J{vr&lU*N22}7x0nT7Y zWAN{0p6AA72KDKmyugx{&IC*8?Xw#hrc8#43rIh#hk5;1OYEheE*DwDh?Bz5F}ejS z5te_6X*m+kNxZUN7zaWWa4IGS0J1QjoI*JsR*!U;bj-HX45x0r`Lh;sxgHlLDPKo+`pJJC zt(N)Ruzr=)^LWa4mFwD#X2@0GdJ#O_O-PhYno9b3Xn*}N1M0N~(`=qO(~;`!*LN)T zUKhoY6K}mPasZnW8ccu!Us})cQN;4Pifs;&s-0JGIBB0QRqMIjO;qomBy)cB?teRD zFxPs%<_n&7r9Sul>@fMr7w*JHFwk?6I^YmIIl8_&-rlbLZ1DJ(L;gTuuVBRs0l&&y zZ)P0@gJXD>L;IS12mfASG+z;}F@-%ogkJX7JZ%`?e6M?a?`$!ftqKmbIuHN#tue3i z&*7hDcey*UA@a8m4AuY7>wR_DbeNbcc*3Zlpmflnp)mjRdIvKbM@=h-U-thw{{Q3h z=c4B>V41|vI@>KX;v z$41k75hTg*5eNlqia?%hIl-5(Aq8XY?d|}2w`$#R*$#X@K z-+R9)dDtR8q$}IRyPaJi__>%8m{UxH<+GMOf0cO0~@U7&CvVhAjZnq*H zcVrPrejnZ<0*VR(&;FA`neM73ugCqQL-aAp#NL1Ur6=Ym$uxDiA9?8Q>aev=tV`tp zlale@$ehtEr0iwmFrVHTD;5s9TP1Rj^X9)-Vf<#M+u{s?yH_RFPaDA*Pld&a`D;+2*0ziF< z6($llz-aej9#>4dOtVS;gh9Tqp7Ncq$SEPdX6znM7ad_;*I#KQT2x}dD;bn%vA+fa zHOeU_Fvt7;^25^eJl8<<*T1whY-(WZt8;S9U7iu;KZwl8=%|@X-Wt7@gZjfI=!qFS zW^DQz1#&gl1rVvZ>uezCx z%TsYHzyY{bK_Bz6B0l>XTBkEK{N4Mv`U^i}l^bdbhg-R65m+sQCGq>z;CPXK7(EZ_ zflPaavxc1snJ(}6hFmN}UmJTfn4()c+Q<=(HlJqCtG@IVBU!Yg{wgRy)_X1vk|`Vv zhtd^`e(0F4B`qyX5-KjpaP~xk`6CNU^Jqs|8-5{^{NA41==xYj7?ZBK_Ca|^ppw|0 zHg4LzNm&V3M*b~CSSrv(F~@74HVQ`yof)o3ah%7i6#ovVl3EE@sn|g@R}GP{wa!*( z5F&Ke6FFAnaq4YQYfr?G&@-bOHBR~KC5k-_M-s8i~wO^!Wx9nyz_Sl3V1RF$Y+|nU2foEtY8FZ<-ueE zKZrWW(hs~<+5g>BYu#1hJ8&alfsPo~f)(a!>HfP@WT9w#RiWrlinZX@!knygQrz?J zl5=cWa-DS6E%XMK`cf&Au)0ErL1Z&!8p8VB3AM@%U5oMFnB!w;eC$^~gb}|tSi~Zb zI*GKdEAVc!lTVS}TCE?R$GGjeq_qm~n$`76dc9H_=S>Z9lCA8wmwwuOPw3W8#U$-l z*j2N9-|ZZQj%qSAPi*MBqp|u@ATp+IQ25GZO;1;5FEEcrH+jUG=jye!xHx)mt>$^s z&n9w#qUe+w1E8{88vTbEpFPXB{XhgMBTDrg^u&d#ZY#lZ?} z*+LB&wAmgOhbPoqc~!Z@kP~apLGe+HLJu5A8*lyO$s%OIq)7EV#nVs}Z2QgX#D%1u zE0B1%KMtVNlRHafXB<1{Biybyhj+=ju}B1CoRz=|mR#i~RB&ni(uYcn8}}XcSM0ax zwE-!LUEcOp8k+oYt5nkN>5AvhLx!P6IyW!?>mw<38A@vHiyERqtV#snf9=34n)s{0 z5_wI}glF>6b;uDHM}Ic0{5=ML2h`!vs_l{JvY*?!t=-I%P#R(X8%# z3$R{%4`+2T^rpSoO^>I9E2gb_bS#e0^NxTfxG!L<>-u12)^LtU*4=Fyi zEsXwKq250Zn_EHe-V$UVrrByCZPTsp9p^KtB zqm8j$ci*C+Tje1MK2{*^=V7k=s*yDR#y7`%@-2A!mqXJY+uu#^X&H{k_o*qfEC0`l z&pC9z>=m`31d}8zXbotC4V-bL6k16&hHmHe4wuy-JWsHH&kPyrbEuHrRpitplz6O7W#l=`3 zR}u7K7^A&KmZovQS9yjYXe+~)tgw$;LN@eTUbnQf=4&F}yXfoO3XAdVu*;y})7g*b z`yEF;)0Z&E3;`mdfVY{$?YfL77HdlCOAn5^xhH$uKJe(5S;{TP!deYETR7^)!ujNU zt}f_7N)oK$+}C{2-+&bW;nx!y^5KE461KJ&YiV!BSUNO|20s3Bi>4t@vk@dHZ&ngm zRpE9X!J;NT2&*Q7+9Be5WPC1`4~gTt2R|AB_UzX?uVmdJ+-T3D&={I-M78A}x&Nn= ze4qc@yFXvm8*Mrtg7ZPQ(*Oz=dm0DYy&Wk0dY1xJT^wIIms%El`0TcoRC?0&I+02C9p6$`g0;ue5&%!RY7b7` z*SxNZWbd#ThWI|tFvDd1vgz=_;6Kco-=u7Qt}x5}fsuw*?)Z?bkJE=CZW|!out~WAr;0%WO1U0jy3<7&2G-FMV%0V>)Ps z_?L@C)%8Mpf!TC~M+DgS3YBG%t}PYspm-7W=UiY%L@t2)JVX(a{zme&xhRQmKImR% zyd6mI0Bhh7lm%T&5Jvs&v8Ch(ia}6E_*^!*9i3ZiGQAoF>2UxkjFne?+zk4AJbrG) zG5oDZ2oiE+A@++O5$xUtjF~XY4GA1FLvzC?XH(`N?Mkf*oQ9PbYyCbUx|ONSA&8yz!`r@s-8N!S$@w7#PEEVl_8l_g7=ed3<&aW zgR-U7Nk#~jGs#?th$==gHHWC7AFn`TiQ;@4fRen_kO&5_Bf~DP)%VC+MahM8@Z?{F zyS7PCRiYZ8tYQ4IG|%SvRj{umMWgEJRgt1<_Jc=g7XjYAKx8v#p0-cHszTu(Ml|s; zhAws>mA$g6bs>DlPOn-@mS(!8qE6dIhM*{;+V?k{rhkk)1nFqM>-r>>A54%4As%B1 zzR))y&ejZ2@JmN!97M z>#2e=&aRnmII7^^qLEJ$Nn-Bp*%y1xY7lVI!h@7eatD z#w-L^_USf{5GF_ou-CWs@@?}`d=aZdA>o=HtpyU^1W(4*V+vPyVeK}3#R;Oh;(Xw4 z3aV5K#lvpR?t)T}xpq|%O}0aPH2bM)6EUW|qa8HVjiQXu4mBEdw2m35opF#PB&lT! zgUmOufTfL5$RJUXP~s;Hl(zpDO6rX|j)L>gm5yNjJ9Jq#Gm)0S)dbk3J%fZ?OqhyM zJaJCsmv82|83d(EIL5~vqQ{w)FD;GSP0IrP#iA4~>L}ju8h;oHmhBPU{3u0SIfT%` zV~pGVbnHr*%1HzP923*`-s*>ir~UzU3h!4=dz&mQ7UU42hBbb3`=$6)EoUxEaq)(l z9e+&eNllP>w6r${8BfIsq8SAvw^Lxk`_!ZVi89x^w_S`Cnc_M*`Uv%@zI zXftSy0IK1~lVDaD;$knDGdKf=xQP%cWabbo-6xw?4%Cy$@bBf}@YO*a@|wzk@GhaVu4OGQ<7c-A;768wvG{ zLnHGvMoeER% zbgS>C|FM42$2;QkbnKqKyT8wbi#u6#Yv1d|M-Sq3tPPW0njW2TU%Ekt9YfQ)%d^|? z@*7;S0%Hl38sa3Z$g<6dx}LAwyPAPuS^0tPH89NaATc=OdGs*|1w!q0b$ZIgn!3+e z0o*pGWxsKS#_wh&=k8tO$UC$;(b|ztkfV(>q&MO|c$o(pSh|-PIWqjyx|`OSGUXD< z9dNv&p|B9EW zvMsOaJWW0VU_rv4t>9?UBn2u)$nIO5mcpBE!){|tfk3{Yv}@%VYaDfp(RERQ32R%q zZ-@X{(|dl!sEI>I^R@z%`106!W|nwtkMct&36F`jl~nIaCl8_$lbNnXe6s8`QL3K#|HSDF96AfKtWmt z@1)I@>^82s7zKd7T}hXb#C)q;F_Vj-Kkl#PZZXm$q6)U@vW__4c$GLkp*ri|%>+WPMaoeO66j91B8GBlFh`q^jV_26sKkxK}obrD;bo^rXKKV)^eNfxWJJGQG+ z`y6+b;}&Y3pjCSHg%kUjtSw-NNU1bJ##o9tzraQvExfzHb!nJpgt};s_d%p%6;tyK z#joR2QGlsAuq}rq!yL{ZB|{x@(GPVIqLCht#^eqA?K(TSF|qWEkHV{QP6B-?TTt^k z@A%<2J`dDD4q=gricpw>DKB)Y#Ic_YSeW}&z*&yND2_tpot9?n-D+BQ78PZ9)ro>5 zyeIsvfOI%KmgbaL>!|>UqKFqug75E~@*rgdWk<82v!<{EiwBG|jJ*R5))gi6qlIDH zFkIuUU3L(skVZS_bP4b#(`1ur3N-vvIU7>ZPn?J95u)(WX(=9VC3@7Fg-F~)LHdKe zpV1eDmC$I9RgfMqF$i@MQ5o^0j&m+0RK5?G7PMrtZMYbn-cAAVLVS8M%~#t{JiW|TTRsPQ9R68$B${v4XDogC6P z-44=f0yoicfOq3q{0fA(OZ1u zXF*DzE-T(5U01>2GZQH-*PS;7OfBe6-Aby|9z1&}LYjOV8LOj5QO19!g( zQXeKIPMTB8i^Q7_YM4|`8`Z?m*rs}m;;|rqR-M^^TQb*6ZeiTvGAq|6J0(hIjR&qx zJewHM4=+)vrJiYV9WxQ$Szgx`VpC-2KC-KL%H5V zpuFLTih~h?(or(WH*p_ZQ_Y9ETyytDjTK~H49z8@VJ32Fh0;M(SfUt}r%U%EpN2lCkM5-jK~dwQ?_cbyKz)3CH)! z2U>e38y%L`%9j@cEfbIT$Oqv}n)N~jvWVM=I{&^RsW;t>Wv!|`23hL7UEAlbE}p#7 zyPf9e`5MP^C!#$heJqBbTw!xUcIejaAKYW2G+;#0c`jZ7U@R;`-F`pzOH zEm;RGbzfd}BV2VsLzDke>(K;g*_%(<(;nCK#v=Y8MrF+ggx)?qdxULk+wl-dYtz7pYvLk6+aY}Y|ujeD49ML=2 zB0I<%eNT~Y+}AaPg)B0Q#tHOBK})FH84>Ho3;NR6?~|;#{F>z?=kbgsbLwZ++yVi`qgiQcQee+$j!LE=eqr34Cp4Dsc0M+of#`qgrb`B%XP%sd($6R zvumr3mwFF9x1?wN&+j>};Kw%d^)0VaC>|nO>70Y$?49rKlVTj78NOzMXyE~Va35^1 zbcZdl;!N3jys;2d#noOBD=NRcDRpB3AiE!{`|E5RDFm%Ud`f;l@@gM*`lH`N*x(8H z)q;EhjyjanY5a4Z**49jzK=!+eW3N&1o%07)%*GP%IsBGBQA$@FfHdia0kFwht>QF zi;WQMgQ0ZQ3tr>AKgDPz%Ty(Y+{I8V%<*hp+>=AndpG+0KZUQ)akQs~d+=4XzfQad z_QWNH&OAFEK8qcp4oA>u54CQ4*p!2+cJ%QK(YW)5nO}L}cP8PGrS6Q4rP}PIc<8xN zzdw{@3u+|@@oFZPZU0!-v_!XYQPD-tL&IArARaOlgM6$P^;VsPZwY}gf*VHDPLHt+ z7W-H=F`x^4h6RZ9ep(^5GY6nQHcU>**B?wv{()Sbz0^^2jUQl39X_th)G?r5_$zE=;Td<2mM634!Z z8qtebY90nkbALDWakfW9&+7d73H{Oa>{$*Ne@FfAhpcECc2`eFoSvkWgt@+!KDO^x z^1Do4yNru6C$VlS+R_)*CSFR*;l(-BJFV+v}n@<`3Gu zQTqG&sPf1SE zgFKYpPCcPO75=^8!=3?NA!E0hOPs@i*k(Ag10@1xsak&)Fx4loI{JR$+CXy@7|!60Y~8tZ$WqKJ#GAZ6`KL6v@_eR8LwX-W&8vZSItQ* zy}xZ8glCe6&8cSf>b1{k`LEfwmom@-Qp3!J>QmI9+5@RvL;ZX(4*E!7a|ie&OMFaOD0-vi`G|En{7Q=iUU8ee zeSaL0g6@0OvXm3C&KM}y-Gxov}V3R%A*$c-dyICEe4QGw`>=uSlmXyI{K%|LbAXoC^~%{DzN6)774p`j9d@tzPFX zJU+lf=Marg#@F0}6}l0>)qN9Jp=T>xJ1xR}JQDrweA})Zqd>3x%T&Z1K`n6_4RWw( zhNv$Vy&6GuUZeLRz34TumqeM0itZgE^SVs3NW&OS;ZfJ>rh0O~C|Y{*%oEj@IvDm? zJ+cFh2jZPRv6EGm1~OFkx39k$s--mMt0k?)S}a&V!et2z4mktIN4maL$jSv4kMbC^ zKJ!_kqzD}FEX6EEI*kk5(+__*`CUc7)%~YX#h^b{`L^Rb2Qm2ps0aX0y|#{TNw~KS ztdXU3Nn3{*sqc7f#P30DD7YwiFHcTeK9#@ntdHoJMz~X(pA^@Dw9g?g+^vsT0BHLX z=u}pyK^_x~7a1nFl2gn}sBMp8lIsC)KO>2>Zidasq!}M1nG+SbO52umnzRUxCMx!8-T(`iA5>|rB!8KSiox{*!-Epet?$b% z{#Y^J=Hp-oU_XjPNt0@noZEJNQC`4^1_$c@ zj;Q`eu0TOUQT$K(Z~b3@)&KvH{}cQ2KS%%HA&~#**Z+-#Q3b#w{7(zae-ZLuE@1kf G-Twjur+D)K literal 6576 zcmZ{JRZtv&k}U)cPJ#z_g1ZKHcZT3Hzzh~7xZB|F7TgkKU~qQ`?(PJ4_iXO|y!ZCi zc7L4euCD&+sysmMi&0K*xAZef# z$N}UEa&%w=yErT>f0J0p^a=Wuq zSi;=N^R2i3=k8&I33z|jU=k*7V;S80PdQnlIUEE&z(Q?H5s$H;+2)=OW0r~}jvYZY zX?kbEtGHrZv!c4EaklZ^sEfHa4s+&y2PY7s`*tZsRiEtMv_cM~vDo=)pXH@=?vWyh zI6~2roY_o%wlX@p!E2|d*m})OeaayeYAOZ$qA_RRjX4p5fQc%)g=n2H&d&wvbfP|G zzoOyi9OpCC=d@*;U;RDgChtUm{)t$>>FWVMmr^?KRF=*$L9e?Rwb9oqC1#91L1#?C z{uT9CVgER(4D|Ydw7ku2S%zh{DlviH&IKgjP`9jK?;4VzO5Jbl{%oR~-1uAyM$fOO zpH2Q)Tl+7lwuuT`bgmcopr&3jG!UG;aW1rGE7&TTQP9T(z2HjJp&Qtm)_)!*JuYY7 zW?~L;B9-|4agWEP9CqTXB482vVHM4)Pd5GNt0hj;R6MK8ag(M8(VOCL2^zPJ#s2k( z%1!WG1_cfV^7BZHQMd z+xOJ1>SNZjMfYXPRp{`aTX(GzS4o)qYrNjj+0gO;E9)_XQDS8X8-Yt!6)%T{HOp1H zr3NTxoCw94Of}Gqo;$skF3nD%JjAiw8N*jZv-YvNQDZzL8$RkOuH#9 zlw8VLA^QO=UqtI!2pvktEYylhZC?g?3iKl)Jv1)UdcsiS^#2f22@4Bj;9&f*^K3<| z*h~4%>7ETg(Hu@%5Rax4PZl!~n2gKjt>&EqXV);=?BzVfa)&4xK`U+1=A3E1`ctDzG~w2vm}q61V>@W4kGC9PG30l3*4$5a zNkx)wJteEIQ;0Vyj-^2^;dmtwH6l4&cJ;3PqWG5Rr3qwYf{S+q} zZc`*lo4pSfi;3h~d0SWvXEeF=DiKCX&=}0NiNxz%a(WSY>)@CKvi+Sph>T2Qcic=x3Ydjr=+Vs0glY0-&Ve4?#M;Rqy zr#`9Bd2dDCw|&FnBb z;=!Ic>Wz`~_?4P;XpU)wc!sN;#bk!h076aM7<3-Rs6V%L9?<|q*J8p=67zYj@1k-F z$T>^;zSMnzqNw_7lWWPzH^IXRXb|<$2oW=qmc|#FTX6JX@n$& zEp@EP^#{-A=F6hdcX>{Ul~yNUgMlZgp-)%;U4Y3o6Y#^>4^of!iUpsQ18 zH%#f*!&k-vavAabZ}DJ!J>foY3cP`(rd5eui|{BAcwM15y#Vn1HYIwN*Y(Cn1mHo2 zSqo=UQ@>>}hb%!@clwKhHj5O)hCvh;r8D1@cDZ$DRF<+F%gd)n9T-$M0t(B|an28; zd94fMvw}>ibB07HeyQjxgHN*kzUsUgBUS5lA4cP5`14wn{xoesYop(3oG3MYokU^i z)+fQGzzdFTyaSd>X__79SAAH_jGVxWfTFDpj(4+i{VAb8=tupCvQ4v7B7~CW7gHpW z1jn(C9`vrg^Y4k`ehzqr*R#@t<*evhH;x$vpfU34Zb(8-pvLcvBMBpGcFLy};c{bA znjFIJs!_jWhE8oon>U>2=2WrIy5eOW)c%2nRHe>u<*b-JSF2GmCeZd#$;pP{zXshIHM0CUAedcq!ylwpj%Lwb`zSV0LT|ne~ z+gof9^TCUYC2VcOnWJtg?Vd`{{A-%wSRELeIg`kFFEt$Se0{#%7sY3t0@`)injM~o>=3>^knbk=R-gkPM_S^caA6!6$*k2d}!{X&CZjwM~Is3B9gJ&+C zza-pmNJoomH&NvUq-Sxode0$A(5yY!27k>I9i~B=ZIP z)gz2PBCyqS>l2v9uQ5%;X0_vykI(g!<0SX5$8=YwyBXYs=%I>Ik*mGy;p<_4IQ9RB z-lsKJuTXK};Oyk!;Qj%ey&1?s8)*N{?jOnjH?f}zgIrbwYB%=vHbD))uM9M5E%(2f zH|LsU+ZiTVYBpGxfbG*zsLdj5jiutYrpAN{xBhvL}tt}~)JIlkZ+3-9`)?Ge+ zlJxT5d<*J_-3Q$e$Ru167ADvc5Afu>5Y!bBO`D8lW4`j}`ugxJ5ubYtd#{gs;MK4w zrU{&7_v=fe^Sz*}B{_N{^qrR~z#ECxWRNVN-WFwfx34kYwUADvs32c@@J47UNq_ZMNvCt;}?mozbo@ZS@-b5olq-jYj! z^Bd$xOjRt(W4z4Ds}sG-2{X^}1Vy_nMDhCi@gdLvq#}6*SwRM#xb}jk(EjV7mlsu) ztsK^AE;JFi+qWN{jv(>}rhr!w+Fb_Oo)E%lsIDf^;UO_u6A=N5aepEl$#Jfyu-{zUJ&^_fN@Z@{y z!w*=u`mRx}8BrP8n>bV$dE`b1ODiSl7++b}I_ukg>#e5lzP2vRG8tw4x@Gu6s1P7Y zb$LE5D5z)yW0CyPdj`!;xX=GlD$>q0L|mqnUW3Y?TvssKvcRD$zbkc*A2+P4{w@WOeMZiXSNJm1c$NkD(}DLm$4d6I)fjU&0Xx~ z?|lcH&D3oyQ*B@*`s+|-l=k0HztNez8_cCh1Eh8!FW;i3h(~R(&kBj%+C)PiLc)n~ z(utOUP&ZN;0e6Hc+29`*tXy!uqg`Zfb@PziuLQX`<3cR1Wm~%#x+>#(fqFiR+Gw$$ zIm2+I#*@?Mln)k&!Ev=B?daWl*9qn+x)R12=9!_Xrx_>8Zou6=py_)lHA3mrMoX;p?#Es$>iJ6(>)TCYO6ps-t}qA=Xi|E+Ho_um ze0(Ha2w=|!Xrgy+xxHcaazZ=oGb{1qVu2i6a;GiL#Noqs3fX*EOHrg(+j0niqnIT1#3pVlcUI<$i+VY>o;_E_G=s}{T z3J*Umi6Ffifd|Nw=W@V+B=!I+cI?MW%-Cc+ap4m<=@B#8Ef&EO-o=Z_ZG8xvo*}y6 zL64?fP$gy+we7;5c^jG>D@kZ)?IyrM<@_3`R{j7y@2AT}A~q+M0C+5YGQ5+lK_qQq zGo@7I7KzQ*2a&f)2!l%k-tJbwE7AE|X=xGro)`DE_i%agxkN?*f9S|FOkF~KJ0sTU z&s$9j;=INf#51VswnGYdF%Y{f8|t2UJjgvJ?&+V`*Rg!Jrx^IX*RQjzy(ip$oQnE4 zG_vE^@kCLPwRv~6vGt@oP2o-vM@dfz!V*4Giggwy9B3Uc2g@lP{p=Q0*}K9qM-0!# zrxe&--Nb%mdM?J0po6a(QVPS{iIA^lWGpuEiu>vR=IV&zj}1QK*6kX$8~>y3`6OLP zt*V`A#Ea32*0I#FF(vA^J_UV-p_@Ba7g{^IPfux8{tP``DvAmkPI_hYQFFg*$s0(@ zd1aes@ZM2Pw&Ii9NV>dkuj;U#$o-<@t5;*o6FL2?N5?)5u)hzs+3)8{yh;nzprw`a>;q!7E>_PgP&@kE(kd%sD@22e_oaGTAgoDBf5rWf zRJq6TbHX=_t^5hU5ID>mQz5#vv^09lZfj0$X>cG3^W$}Xv^5Jw64Rv?TI{qnj-wnf z+YrKkqBVrRE_cCC74;5<^bS)#Su#C0SpzX4(_*sWOY_uJl12J#L@f!+EP%0Dh62N8 z8Th1jVRN_lK zRfqUjpDx;Mm|B09NK6d7Q%h`hS=Rxcq;WxT>A;|P&EOu0{D~)X$`B)SpT}T!O;Q6F z&S`|%pt)GQqcpS=2bGr@>GL-OPS)M!0UPmnG8U5v@sr8=_Fz_Jn}`shcHGJj*x426 zW~cf5W0p2lLgr6Q(IXEm*$h;DfjD+#kn5Vw-`eG8{AGx6mQVE94|Ord_}xYmyX3z3 zy@b%9GJAmWAP<5q4vX3Jq@2ZtJ_w?&wueoZ@*ry*K0rg~fJ5jb_Kg0)g8@?lVY0M1 zEIFXMB5WQ|(~nd1)dCnCZs>G>#pB!!Rr|&kY|rtn8i;V3i5ll181p&6y*987fE<-sp{%-<${Nff5 z4ndU}LcyZf(h9kaev+k6Gk37od&QhDUgC;o=aW{d!YbeEDbo^4e>~wQsJf1H!%szG zDEm^SiiJv0Pvi*{%B3?m^aq)IA1>==2=3w(O_i5BuV)~!so zi#|0U`C>!ey-;26O4;@`Lz&B;6b>RNZ6Wz^S#JeqO=Wy&psTm5AzsI2Va6j1(`nL5 zetbtaPWAA$i1)N%syu-JRhSoZ6}}n1y2JMF?gvqdyVQ?nc(1+ISJ1N^y zrZ-R?G4(ZU!>@+VR5MGH#KGfyWXik*y$EAZ-Q)5U3@(B97^RGL4@r@wgo>@Xy^_lM z!>(dFf6BOLo-n8+<#_7HY<6lTZka59_`6W!7ijisetyf#0+Jf3WSk&P$} zX0&ndmGTh$c*{@7bufFl<&uBXV?3+6ljD|8eywof?{;n4?_5`0I)D8mJM7n?l6Ti` zLY*34hVS<1OkfLuL9~*VZ6I29ej#RHX}lhfh`poSNo-92w1`%F3-5W{lENlXYnWk( zo$6@j^D~MHeN(`G3o|4PJ)>YVRN>$~YtnG}XJFIkz@}S2yy(;m8pn-}@EyWz$B0T{ z!CWDM;4fm?xymaL56_2z>5r)IbW3P8dMEU!C$Adw+yF4p<zKQLuwYHGYP87K+$t~g_f-ht<;{AS z#uLxsdib;sje`MP&!8Lx?A^lSw3%s{_08~96ttxey^{nqkadJ8=|D9-Bz3t%H65%u zY%zbo-zFfUc4y1j+lcr1)mq(hcaxADVGrS|O>q~(f9D0_^+ zp`&I4v8u5ZF{0Ebn(u5Mv<+8*68K7+Q-Y{I*Of-8?*9Ic6>~t=Tv{NEcq_0t(r9+1 zOMJaf@afx02|AvnrIrER_osbHRx0~^$NszVCB*Dhm<2Fs8T|}!vp0M2I$hC8%sDXm ziohroxkCP`Auaf|dieuP$P2pu8DQH?xl|x|*Xr;oAL6PV(lAn7P1;q`Hjea|uVYx+ zJ)cR4E^YriBV16}!FCaW!fcxNzR#JwG`E@O0jB#xl*;4#VmO{(grya^P? zSkFPM1nUhtcVYzGaAytyg}SU6Qh(yAn?|~?btVY)>Atey*T!_hCunEgMum`BLQvX< zW-R@}L(AE*WRGGXt`yv81;8gtiF<=9`_AX-+1XA9l!!8)vl#$-6M%kI0gxT>z+I@HUwiVF<{Q0QMXjT$9QO zmS0q_des|tJHygsT+2;i(xfD#_;N8Mst7~yPFARlCZn2}C_dsZ*<0=K8EZ5=@7yGr z2mYExX9h>NNEPf!mf?G)XO9(6CkTeDpox8p9q&P%pypUu6~a?+)+1E_YehQk0W37} z`${wV;s$Bz%|Idkg%^{FqJvAvY(={VuNriTxrXm^b;7IH==5tCKbA7o<5TKlSCX zPmZVUty%ZzI$>b956=5z!o9UkdFau$)S7J5gqojvXA#-wuZI!Pl;+_nY zcwfbim3JniKjrW-B+|~JXhOwqkz$H|>Fb_7UoWJlxYVjF5m(H$81OO2V(}VO)Tfai zn_e`0&l){)Xh^042&Ds1?*cKDBh4Eml6WJ>p_ zG9ST1Mw@6dIMfmeq{+SjIB3OCjXNNseZdwN+dO{nBg#ABpa^3!r~T-AHD72MRdUtD zQG3DqVq$-?6#13f68V9oyUS5hJn9&`1~z(KT`JN&))+D63(A~KvbNlVb7gEMbXIdo zJ<_Z|hb-$YEWcwnf8OK)6y)-A$?CO8Knkt9jC3<~^Z^z|Yn4G&96EpK4RF&LXTYV$ zWy4%S^&G;bg5jLREMh(r%9-r{WlTSZ2>Dh1QQme*IHjufB*FW|73tu|mtoQF;y>+AjT6x^6iux^W@W zhD#Ne6#`i&*qUug%N;38Gmn(GNTwc&T^?l^4#E6)i+UPgk)`=>R+SdyM(+CeI!})W zmW8_n>Nb_IS=@CAt_qI$u{U1u)s^7i;UWC*zQ{lABk%rY$Uh_?{!jH^r>Kj( diff --git a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json index 1079d152db5..5a4d1123212 100644 --- a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json +++ b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json @@ -38,10 +38,28 @@ } }, "variables": { - "solutionId": "extrahop.extrahop_revealx_mss", - "_solutionId": "[variables('solutionId')]", "_solutionName": "ExtraHop Reveal(x)", "_solutionVersion": "3.0.0", + "solutionId": "extrahop.extrahop_revealx_mss", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "ExtraHopNetworks", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "ExtraHopNetworks", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "ExtraHopNetworksAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "ExtraHopNetworksAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "ExtraHopDetectionSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -52,6 +70,718 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", + "publisher": "ExtraHop Networks", + "logo": "ExtraHopLogo.svg", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "ExtraHop", + "description": "ExtraHop Discover or Command appliance with firmware version 7.8 or later with a user account that has Unlimited (administrator) privileges." + } + ] + }, + "instructionSteps": [ + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.", + "title": "2. Forward ExtraHop Networks logs to Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "metadata": { + "id": "3c3af19d-b178-44cd-a130-c48b366758c4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "ExtraHop Networks" + }, + "support": { + "name": "ExtraHop Networks", + "link": "https://www.extrahop.com/support/", + "tier": "developer" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", + "publisher": "ExtraHop Networks", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "ExtraHop", + "description": "ExtraHop Discover or Command appliance with firmware version 7.8 or later with a user account that has Unlimited (administrator) privileges." + } + ] + }, + "instructionSteps": [ + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.", + "title": "2. Forward ExtraHop Networks logs to Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] ExtraHop Reveal(x) via AMA", + "publisher": "ExtraHop Networks", + "logo": "ExtraHopLogo.svg", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "metadata": { + "id": "3c3af19d-b178-44cd-a130-c48b366758c4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "ExtraHop Networks" + }, + "support": { + "name": "ExtraHop Networks", + "link": "https://www.extrahop.com/support/", + "tier": "developer" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] ExtraHop Reveal(x) via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Recommended] ExtraHop Reveal(x) via AMA", + "publisher": "ExtraHop Networks", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -79,7 +809,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## ExtraHop Detections\\n---\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2b036d8d-8429-40a5-a5f4-8f7473738749\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"query_times\",\"label\":\"Time Interval\",\"type\":4,\"description\":\"Time range for detection Start Times\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend detectionID = DeviceCustomNumber1\\n| extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n| summarize arg_min(todatetime(ReceiptTime), *) by detectionID\\n| summarize count(detectionID) by Activity, bin(make_datetime(ReceiptTime), 1h)\\n\",\"size\":0,\"title\":\"Detections by Recently Updated\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_detectionID\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"detections_by_time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let category_map = dynamic(\\n{\\n \\\"sec.action\\\" : \\\"Actions on Objective\\\",\\n \\\"sec.caution\\\": \\\"Caution\\\",\\n \\\"sec.command\\\": \\\"Command and Control\\\",\\n \\\"sec.exploit\\\": \\\"Exploitation\\\",\\n \\\"sec.lateral\\\": \\\"Lateral Movement\\\",\\n \\\"sec.recon\\\": \\\"Reconnaissance\\\"\\n }\\n);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend categories = iif(DeviceCustomString2 != \\\"\\\", split(DeviceCustomString2, \\\",\\\"),dynamic(null))\\n| extend detectionID = DeviceCustomNumber1\\n| project detectionID, updateTime=todatetime(ReceiptTime), categories\\n| summarize arg_max(updateTime, *) by detectionID\\n| sort by detectionID desc \\n| where isnotnull(categories)\\n| mv-expand cat=categories to typeof(string)\\n| extend cat = coalesce(column_ifexists(\\\"DeviceEventCategory\\\",\\\"\\\"),cat) \\n| summarize count() by cat\\n| project Category=tostring(category_map[cat]), Count=count_\\n| where Category != \\\"\\\"\",\"size\":0,\"title\":\"Detections by Category\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"total-detections-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExtraHopDetections = materialize(CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend detectionID = DeviceCustomNumber1\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | project SourceIP, DestinationIP, detectionID, StartTime\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | sort by detectionID desc);\\nlet t1 = ExtraHopDetections | where SourceIP != \\\"\\\" | summarize dcount=dcount(detectionID) by SourceIP | project IPAddress=SourceIP, dcount;\\nlet t2 = ExtraHopDetections | where DestinationIP != \\\"\\\" | summarize dcount=dcount(detectionID) by DestinationIP | project IPAddress=DestinationIP, dcount;\\nt1 | union t2 | summarize Count=sum(dcount) by [\\\"IP Address\\\"]=IPAddress | top 10 by Count desc\",\"size\":0,\"title\":\"Top Participants\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"top-participants\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | extend detectionID = DeviceCustomNumber1\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | summarize Count=count() by Activity\\n | sort by Count desc, Activity asc\\n | project-rename [\\\"Detection Title\\\"]=Activity\",\"size\":0,\"title\":\"Top Detections by Title\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"detections-by-title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1),\\n DeviceCustomNumber2 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber2\\\", long(null)),DeviceCustomNumber2)\\n| summarize arg_max(ReceiptTime, *) by DeviceCustomNumber1 // detection ID\\n| sort by DeviceCustomNumber2 // risk score\\n| project [\\\"Risk Score\\\"] = DeviceCustomNumber2,\\nTitle=Activity, \\nSourceIP,\\nDestinationIP,\\n[\\\"Last Updated\\\"]=format_datetime(make_datetime(ReceiptTime), 'M/d/yyyy HH:mm:ss'),\\nID=DeviceCustomNumber1,\\nURI=DeviceCustomString1\\n| take 10\\n\",\"size\":0,\"title\":\"Top Ten Detections by Highest Risk Score\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"top-ten-by-risk\"}],\"fromTemplateId\":\"sentinel-ExtraHop\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## ExtraHop Detections\\n---\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2b036d8d-8429-40a5-a5f4-8f7473738749\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"query_times\",\"label\":\"Time Interval\",\"type\":4,\"description\":\"Time range for detection Start Times\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend detectionID = DeviceCustomNumber1\\n| extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n| summarize arg_min(todatetime(ReceiptTime), *) by detectionID\\n| summarize count(detectionID) by Activity, bin(make_datetime(ReceiptTime), 1h)\\n\",\"size\":0,\"title\":\"Detections by Recently Updated\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_detectionID\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"detections_by_time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let category_map = dynamic(\\n{\\n \\\"sec.action\\\" : \\\"Actions on Objective\\\",\\n \\\"sec.caution\\\": \\\"Caution\\\",\\n \\\"sec.command\\\": \\\"Command and Control\\\",\\n \\\"sec.exploit\\\": \\\"Exploitation\\\",\\n \\\"sec.lateral\\\": \\\"Lateral Movement\\\",\\n \\\"sec.recon\\\": \\\"Reconnaissance\\\"\\n }\\n);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n| extend categories = iif(DeviceCustomString2 != \\\"\\\", split(DeviceCustomString2, \\\",\\\"),dynamic(null))\\n| extend detectionID = DeviceCustomNumber1\\n| project detectionID, updateTime=todatetime(ReceiptTime), categories\\n| summarize arg_max(updateTime, *) by detectionID\\n| sort by detectionID desc \\n| where isnotnull(categories)\\n| mv-expand cat=categories to typeof(string)\\n| extend cat = coalesce(column_ifexists(\\\"DeviceEventCategory\\\",\\\"\\\"),cat) \\n| summarize count() by cat\\n| project Category=tostring(category_map[cat]), Count=count_\\n| where Category != \\\"\\\"\",\"size\":0,\"title\":\"Detections by Category\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"total-detections-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExtraHopDetections = materialize(CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend detectionID = DeviceCustomNumber1\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | project SourceIP, DestinationIP, detectionID, StartTime\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | sort by detectionID desc);\\nlet t1 = ExtraHopDetections | where SourceIP != \\\"\\\" | summarize dcount=dcount(detectionID) by SourceIP | project IPAddress=SourceIP, dcount;\\nlet t2 = ExtraHopDetections | where DestinationIP != \\\"\\\" | summarize dcount=dcount(detectionID) by DestinationIP | project IPAddress=DestinationIP, dcount;\\nt1 | union t2 | summarize Count=sum(dcount) by [\\\"IP Address\\\"]=IPAddress | top 10 by Count desc\",\"size\":0,\"title\":\"Top Participants\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"top-participants\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n | where DeviceVendor == \\\"ExtraHop\\\"\\n | extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1)\\n | extend StartTime = coalesce(\\n column_ifexists(\\\"StartTime\\\", datetime(null)),\\n extract(\\\"start=([0-9-]+T[0-9:.]+Z)\\\", 1, AdditionalExtensions,typeof(datetime)),\\n datetime(null)\\n )\\n | extend detectionID = DeviceCustomNumber1\\n | summarize arg_max(todatetime(StartTime), *) by detectionID\\n | summarize Count=count() by Activity\\n | sort by Count desc, Activity asc\\n | project-rename [\\\"Detection Title\\\"]=Activity\",\"size\":0,\"title\":\"Top Detections by Title\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"35\",\"name\":\"detections-by-title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"ExtraHop\\\"\\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber1\\\", long(null)),DeviceCustomNumber1),\\n DeviceCustomNumber2 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber2\\\", long(null)),DeviceCustomNumber2)\\n| summarize arg_max(ReceiptTime, *) by DeviceCustomNumber1 // detection ID\\n| sort by DeviceCustomNumber2 // risk score\\n| project [\\\"Risk Score\\\"] = DeviceCustomNumber2,\\nTitle=Activity, \\nSourceIP,\\nDestinationIP,\\n[\\\"Last Updated\\\"]=format_datetime(make_datetime(ReceiptTime), 'M/d/yyyy HH:mm:ss'),\\nID=DeviceCustomNumber1,\\nURI=DeviceCustomString1\\n| take 10\\n\",\"size\":0,\"title\":\"Top Ten Detections by Highest Risk Score\",\"timeContextFromParameter\":\"query_times\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"top-ten-by-risk\"}],\"fromTemplateId\":\"sentinel-ExtraHop\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -152,7 +882,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "ExtraHop Reveal(x)", "publisherDisplayName": "ExtraHop", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The ExtraHop Reveal(x) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.

\n
    \n

  1. ExtraHop Reveal(x) via AMA - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ExtraHop Reveal(x) via Legacy Agent - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The ExtraHop Reveal(x) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.

\n
    \n

  1. ExtraHop Reveal(x) via AMA - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ExtraHop Reveal(x) via Legacy Agent - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -175,6 +905,16 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]",