![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
+ "Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
"Data Connectors": [
"Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json"
],
"Parsers": [
- "Solutions/ISC Bind/Parsers/ISCBind.txt"
+ "Solutions/ISC Bind/Parsers/ISCBind.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.1",
diff --git a/Solutions/ISC Bind/Data/system_generated_metadata.json b/Solutions/ISC Bind/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..9418200408f
--- /dev/null
+++ b/Solutions/ISC Bind/Data/system_generated_metadata.json
@@ -0,0 +1,31 @@
+{
+ "Name": "ISC Bind",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "Version": "3.0.0",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-iscbind",
+ "providers": [
+ "ISC"
+ ],
+ "categories": {
+ "domains": [
+ "Networking"
+ ],
+ "verticals": []
+ },
+ "firstPublishDate": "2022-09-20",
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ },
+ "Data Connectors": "[\n \"Connector_Syslog_ISCBind.json\"\n]",
+ "Parsers": "[\n \"ISCBind.yaml\"\n]"
+}
diff --git a/Solutions/ISC Bind/Package/3.0.0.zip b/Solutions/ISC Bind/Package/3.0.0.zip
new file mode 100644
index 00000000000..0f167715fa2
Binary files /dev/null and b/Solutions/ISC Bind/Package/3.0.0.zip differ
diff --git a/Solutions/ISC Bind/Package/createUiDefinition.json b/Solutions/ISC Bind/Package/createUiDefinition.json
index a0c9b07ee85..5f5020aa23f 100644
--- a/Solutions/ISC Bind/Package/createUiDefinition.json
+++ b/Solutions/ISC Bind/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ISC Bind](https://www.isc.org/bind/) solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ISCBind/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/ISC Bind/Package/mainTemplate.json b/Solutions/ISC Bind/Package/mainTemplate.json
index a756498cee4..a2deb61d28c 100644
--- a/Solutions/ISC Bind/Package/mainTemplate.json
+++ b/Solutions/ISC Bind/Package/mainTemplate.json
@@ -34,53 +34,39 @@
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "ISC Bind",
+ "_solutionVersion": "3.0.0",
"uiConfigId1": "ISCBind",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ISCBind",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ISCBind-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserName1": "ISCBind",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "ISCBind-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "ISC Bind data connector with template",
- "displayName": "ISC Bind template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ISC Bind data connector with template version 2.0.1",
+ "description": "ISC Bind data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -157,7 +143,7 @@
},
"instructionSteps": [
{
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@@ -226,8 +212,8 @@
"name": "Microsoft"
},
"support": {
- "tier": "microsoft",
- "name": "Microsoft",
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
"email": "support@microsoft.com"
}
}
@@ -236,7 +222,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -261,12 +247,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "ISC Bind",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -362,7 +359,7 @@
},
"instructionSteps": [
{
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@@ -425,33 +422,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
- "properties": {
- "description": "ISCBind Data Parser with template",
- "displayName": "ISCBind Data Parser template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ISCBind Data Parser with template version 2.0.1",
+ "description": "ISCBind Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -460,20 +439,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ISCBind",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ISCBind",
- "query": "\n\r\nlet request = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n DnsFlags:string\r\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\r\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\r\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\r\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\r\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\r\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\r\nlet requestcache = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query (cache) '\"\r\n DnsQuery:string \"/\"\r\n DnsQueryTypeName:string \"/\"\r\n DnsQueryClassName:string \"' \"\r\n Action\r\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\r\nlet response =Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" * \"view \" * \": \"\r\n NetworkProtocol:string \": query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n \"response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\r\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\r\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\r\n| extend EventSubType = \"response\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\r\nunion request,requestcache,response",
- "version": 1,
+ "query": "//request events\nlet request = Syslog \n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n DnsFlags:string\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\n//request (cache) events\nlet requestcache = Syslog \n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query (cache) '\"\n DnsQuery:string \"/\"\n DnsQueryTypeName:string \"/\"\n DnsQueryClassName:string \"' \"\n Action\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\n// response events\nlet response =Syslog \n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" * \"view \" * \": \"\n NetworkProtocol:string \": query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n \"response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\n| extend EventSubType = \"response\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\nunion request,requestcache,response\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "ISCBind"
+ "value": ""
}
]
}
@@ -483,7 +463,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@@ -508,21 +488,39 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "ISCBind",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ISCBind",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ISCBind",
- "query": "\n\r\nlet request = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n DnsFlags:string\r\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\r\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\r\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\r\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\r\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\r\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\r\nlet requestcache = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query (cache) '\"\r\n DnsQuery:string \"/\"\r\n DnsQueryTypeName:string \"/\"\r\n DnsQueryClassName:string \"' \"\r\n Action\r\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\r\nlet response =Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" * \"view \" * \": \"\r\n NetworkProtocol:string \": query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n \"response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\r\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\r\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\r\n| extend EventSubType = \"response\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\r\nunion request,requestcache,response",
- "version": 1
+ "query": "//request events\nlet request = Syslog \n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n DnsFlags:string\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\n//request (cache) events\nlet requestcache = Syslog \n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query (cache) '\"\n DnsQuery:string \"/\"\n DnsQueryTypeName:string \"/\"\n DnsQueryClassName:string \"' \"\n Action\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\n// response events\nlet response =Syslog \n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" * \"view \" * \": \"\n NetworkProtocol:string \": query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n \"response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\n| extend EventSubType = \"response\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\nunion request,requestcache,response\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -556,13 +554,20 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "ISC Bind",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe ISC Bind solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs
\n\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
diff --git a/Solutions/ISC Bind/Parsers/ISCBind.txt b/Solutions/ISC Bind/Parsers/ISCBind.txt
deleted file mode 100644
index 582e5d4ccdd..00000000000
--- a/Solutions/ISC Bind/Parsers/ISCBind.txt
+++ /dev/null
@@ -1,65 +0,0 @@
-// Title: ISC Bind
-// Author: Microsoft
-// Version: 1.0
-// Last Updated: 09/16/2022
-// Comment: Inital Release
-//
-// DESCRIPTION:
-// This parser takes raw ISC Bind logs from a Syslog stream and parses the logs into a normalized schema.
-//
-//
-// REFERENCES:
-// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-
-//request events
-let request = Syslog
-| where SyslogMessage has_all ("client", "query:") and SyslogMessage !has "response:"
-| parse SyslogMessage with
- * "client " * " "
- SrcIpAddr:string "#"
- SrcPortNumber:string " " *
- "query: "
- DnsQuery:string " "
- DnsQueryClassName:string " "
- DnsQueryTypeName:string " "
- DnsFlags:string
-| extend ServerIPAddressIndex= indexof(DnsFlags, " ")
-| extend ServerIPAddress = iif(ServerIPAddressIndex != "-1", substring(DnsFlags, ServerIPAddressIndex),"")
-| extend ServerIPAddress = replace_regex(ServerIPAddress,@"[()]","")
-| extend DnsFlags =iif(ServerIPAddressIndex != "-1", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)
-| extend SrcPortNumber = replace_regex(SrcPortNumber,@"[^\d]","")
-| extend EventSubType = "request",DnsResponseCodeName = "NA"
-| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;
-//request (cache) events
-let requestcache = Syslog
-| where SyslogMessage has_all ("client", "query (cache)") and SyslogMessage !has "response:"
-| parse SyslogMessage with
- * "client " * " "
- SrcIpAddr:string "#"
- SrcPortNumber:string " " *
- "query (cache) '"
- DnsQuery:string "/"
- DnsQueryTypeName:string "/"
- DnsQueryClassName:string "' "
- Action
-| extend EventSubType = "requestcache",DnsResponseCodeName = "NA"
-| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;
-// response events
-let response =Syslog
-| where SyslogMessage has_all ("client", "query:", "response:")
-| parse SyslogMessage with
- * "client " * " "
- SrcIpAddr:string "#"
- SrcPortNumber:string " " * "view " * ": "
- NetworkProtocol:string ": query: "
- DnsQuery:string " "
- DnsQueryClassName:string " "
- DnsQueryTypeName:string " "
- "response: " DnsResponseCodeName: string
- " " DnsFlags: string
-| extend DNSResourceRecordIndex= indexof(DnsFlags, " ")
-| extend DnsResponseName =iif(DNSResourceRecordIndex != "-1", substring(DnsFlags, DNSResourceRecordIndex), "")
-| extend DnsFlags =iif(DNSResourceRecordIndex != "-1", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)
-| extend EventSubType = "response"
-| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;
-union request,requestcache,response
\ No newline at end of file
diff --git a/Solutions/ISC Bind/ReleaseNotes.md b/Solutions/ISC Bind/ReleaseNotes.md
new file mode 100644
index 00000000000..fedd8f71d41
--- /dev/null
+++ b/Solutions/ISC Bind/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 09-10-2023 | Corrected the links in the solution |
+
+