![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/DigitalGuardian.json"
],
@@ -33,15 +33,12 @@
"Parsers": [
"Parsers/DigitalGuardianDLPEvent.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_DigitalGuardian_Syslog.json"
- ],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-syslog"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"TemplateSpec": true,
"Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianDomains.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianDomains.yaml
index 4ae126f01eb..3f5b0777ce8 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianDomains.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianDomains.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for incident domains.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml
index 3176a5137f7..5c186980063 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for files sent by users.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianIncidentsByUser.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianIncidentsByUser.yaml
index 770ee79bb17..1779558d76c 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianIncidentsByUser.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianIncidentsByUser.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for users' incidents.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml
index 69a99c07816..a2790c77fe9 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for insecure file transfer sources.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInspectedFiles.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInspectedFiles.yaml
index 1c94bb3c249..4904049fb2e 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInspectedFiles.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianInspectedFiles.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for inspected files.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianNewIncidents.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianNewIncidents.yaml
index 648dfc4254d..f9a796d34b4 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianNewIncidents.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianNewIncidents.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for new incidents.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml
index d3dc3e0e7a6..75a7ea96046 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for rare destination ports.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml
index f1959d23127..010d50a6049 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches rare network protocols.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareUrls.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareUrls.yaml
index f53319981a5..7b562d77311 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareUrls.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianRareUrls.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for rare Urls.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianUrlByUser.yaml b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianUrlByUser.yaml
index f1e6246fe31..a3c3317a534 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianUrlByUser.yaml
+++ b/Solutions/Digital Guardian Data Loss Prevention/Hunting Queries/DigitalGuardianUrlByUser.yaml
@@ -4,9 +4,6 @@ description: |
'Query searches for URLs used.'
severity: Medium
requiredDataConnectors:
- - connectorId: DigitalGuardianDLP
- dataTypes:
- - DigitalGuardianDLPEvent
- connectorId: SyslogAma
datatypes:
- Syslog
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Package/3.0.2.zip b/Solutions/Digital Guardian Data Loss Prevention/Package/3.0.2.zip
new file mode 100644
index 00000000000..5cea283e168
Binary files /dev/null and b/Solutions/Digital Guardian Data Loss Prevention/Package/3.0.2.zip differ
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Package/createUiDefinition.json b/Solutions/Digital Guardian Data Loss Prevention/Package/createUiDefinition.json
index 9fb61602e5b..40e18f9870b 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Package/createUiDefinition.json
+++ b/Solutions/Digital Guardian Data Loss Prevention/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Digital Guardian Data Loss Prevention. You can get Digital Guardian Data Loss Prevention Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -323,7 +292,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for incident domains. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -337,7 +306,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for files sent by users. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for users' incidents. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for insecure file transfer sources. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for inspected files. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for new incidents. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for rare destination ports. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches rare network protocols. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for rare Urls. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
+ "text": "Query searches for URLs used. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)"
}
}
]
diff --git a/Solutions/Digital Guardian Data Loss Prevention/Package/mainTemplate.json b/Solutions/Digital Guardian Data Loss Prevention/Package/mainTemplate.json
index 6fed3db37cc..eeb059e2dad 100644
--- a/Solutions/Digital Guardian Data Loss Prevention/Package/mainTemplate.json
+++ b/Solutions/Digital Guardian Data Loss Prevention/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Digital Guardian Data Loss Prevention",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-digitalguardiandlp",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -52,74 +52,74 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.1",
+ "analyticRuleVersion1": "1.0.2",
"_analyticRulecontentId1": "b52cda18-c1af-40e5-91f3-1fcbf9fa267e",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b52cda18-c1af-40e5-91f3-1fcbf9fa267e')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b52cda18-c1af-40e5-91f3-1fcbf9fa267e')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b52cda18-c1af-40e5-91f3-1fcbf9fa267e','-', '1.0.1')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b52cda18-c1af-40e5-91f3-1fcbf9fa267e','-', '1.0.2')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.1",
+ "analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "39e25deb-49bb-4cdb-89c1-c466d596e2bd",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39e25deb-49bb-4cdb-89c1-c466d596e2bd')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39e25deb-49bb-4cdb-89c1-c466d596e2bd')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39e25deb-49bb-4cdb-89c1-c466d596e2bd','-', '1.0.1')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39e25deb-49bb-4cdb-89c1-c466d596e2bd','-', '1.0.2')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.1",
+ "analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8','-', '1.0.1')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8','-', '1.0.2')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.1",
+ "analyticRuleVersion4": "1.0.2",
"_analyticRulecontentId4": "edead9b5-243a-466b-ae78-2dae32ab1117",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edead9b5-243a-466b-ae78-2dae32ab1117')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edead9b5-243a-466b-ae78-2dae32ab1117')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edead9b5-243a-466b-ae78-2dae32ab1117','-', '1.0.1')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edead9b5-243a-466b-ae78-2dae32ab1117','-', '1.0.2')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.1",
+ "analyticRuleVersion5": "1.0.2",
"_analyticRulecontentId5": "a19885c8-1e44-47e3-81df-d1d109f5c92d",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a19885c8-1e44-47e3-81df-d1d109f5c92d')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a19885c8-1e44-47e3-81df-d1d109f5c92d')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a19885c8-1e44-47e3-81df-d1d109f5c92d','-', '1.0.1')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a19885c8-1e44-47e3-81df-d1d109f5c92d','-', '1.0.2')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.1",
+ "analyticRuleVersion6": "1.0.2",
"_analyticRulecontentId6": "5f75a873-b524-4ba5-a3b8-2c20db517148",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5f75a873-b524-4ba5-a3b8-2c20db517148')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5f75a873-b524-4ba5-a3b8-2c20db517148')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5f75a873-b524-4ba5-a3b8-2c20db517148','-', '1.0.1')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5f75a873-b524-4ba5-a3b8-2c20db517148','-', '1.0.2')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.1",
+ "analyticRuleVersion7": "1.0.2",
"_analyticRulecontentId7": "e8901dac-2549-4948-b793-5197a5ed697a",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e8901dac-2549-4948-b793-5197a5ed697a')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e8901dac-2549-4948-b793-5197a5ed697a')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e8901dac-2549-4948-b793-5197a5ed697a','-', '1.0.1')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e8901dac-2549-4948-b793-5197a5ed697a','-', '1.0.2')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.1",
+ "analyticRuleVersion8": "1.0.2",
"_analyticRulecontentId8": "a374a933-f6c4-4200-8682-70402a9054dd",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a374a933-f6c4-4200-8682-70402a9054dd')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a374a933-f6c4-4200-8682-70402a9054dd')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a374a933-f6c4-4200-8682-70402a9054dd','-', '1.0.1')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a374a933-f6c4-4200-8682-70402a9054dd','-', '1.0.2')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.1",
+ "analyticRuleVersion9": "1.0.2",
"_analyticRulecontentId9": "a14f2f95-bbd2-4036-ad59-e3aff132b296",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a14f2f95-bbd2-4036-ad59-e3aff132b296')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a14f2f95-bbd2-4036-ad59-e3aff132b296')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a14f2f95-bbd2-4036-ad59-e3aff132b296','-', '1.0.1')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a14f2f95-bbd2-4036-ad59-e3aff132b296','-', '1.0.2')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.1",
+ "analyticRuleVersion10": "1.0.2",
"_analyticRulecontentId10": "07bca129-e7d6-4421-b489-32abade0b6a7",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '07bca129-e7d6-4421-b489-32abade0b6a7')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('07bca129-e7d6-4421-b489-32abade0b6a7')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','07bca129-e7d6-4421-b489-32abade0b6a7','-', '1.0.1')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','07bca129-e7d6-4421-b489-32abade0b6a7','-', '1.0.2')))]"
},
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.0",
@@ -178,15 +178,6 @@
"parserVersion1": "1.0.0",
"parserContentId1": "DigitalGuardianDLPEvent-Parser"
},
- "uiConfigId1": "DigitalGuardianDLP",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "DigitalGuardianDLP",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -199,7 +190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardian Workbook with template version 3.0.1",
+ "description": "DigitalGuardian Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -258,6 +249,10 @@
{
"contentId": "DigitalGuardianDLP",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "SyslogAma",
+ "kind": "DataConnector"
}
]
}
@@ -287,7 +282,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -315,16 +310,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -338,8 +327,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
},
@@ -347,8 +336,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -406,7 +395,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianExfiltrationOverDNS_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianExfiltrationOverDNS_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -434,16 +423,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -457,8 +440,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -516,7 +499,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianExfiltrationToFileShareServices_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianExfiltrationToFileShareServices_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -544,16 +527,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -567,8 +544,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -626,7 +603,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianFileSentToExternal_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianFileSentToExternal_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -654,16 +631,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -677,8 +648,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -736,7 +707,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianFileSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianFileSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -764,16 +735,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -787,8 +752,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -846,7 +811,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianFilesSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianFilesSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -874,16 +839,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -897,8 +856,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -956,7 +915,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianMultipleIncidentsFromUser_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianMultipleIncidentsFromUser_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -984,16 +943,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -1007,8 +960,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1066,7 +1019,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianPossibleProtocolAbuse_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianPossibleProtocolAbuse_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1094,16 +1047,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -1117,8 +1064,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1176,7 +1123,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianUnexpectedProtocol_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianUnexpectedProtocol_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1204,16 +1151,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -1227,8 +1168,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1286,7 +1227,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianViolationNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "DigitalGuardianViolationNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -1314,16 +1255,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "DigitalGuardianDLP",
- "dataTypes": [
- "DigitalGuardianDLPEvent"
- ]
- },
- {
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -1337,8 +1272,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1396,7 +1331,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianDomains_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianDomains_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1481,7 +1416,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianFilesSentByUsers_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianFilesSentByUsers_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1566,7 +1501,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianIncidentsByUser_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianIncidentsByUser_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1651,7 +1586,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianInsecureProtocolSources_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianInsecureProtocolSources_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -1736,7 +1671,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianInspectedFiles_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianInspectedFiles_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -1821,7 +1756,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianNewIncidents_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianNewIncidents_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -1906,7 +1841,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianRareDestinationPorts_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianRareDestinationPorts_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -1991,7 +1926,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianRareNetworkProtocols_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianRareNetworkProtocols_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -2076,7 +2011,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -2161,7 +2096,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -2246,7 +2181,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DigitalGuardianDLPEvent Data Parser with template version 3.0.1",
+ "description": "DigitalGuardianDLPEvent Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -2369,420 +2304,17 @@
}
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Digital Guardian Data Loss Prevention data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Digital Guardian Data Loss Prevention",
- "publisher": "Digital Guardian",
- "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "DigitalGuardianDLPEvent",
- "baseQuery": "DigitalGuardianDLPEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Clients (Source IP)",
- "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (DigitalGuardianDLPEvent)",
- "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.",
- "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent."
- },
- {
- "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "2. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.",
- "title": "3. Check logs in Microsoft Sentinel"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Digital Guardian Data Loss Prevention",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Digital Guardian Data Loss Prevention",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Digital Guardian Data Loss Prevention",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Digital Guardian Data Loss Prevention",
- "publisher": "Digital Guardian",
- "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "DigitalGuardianDLPEvent",
- "baseQuery": "DigitalGuardianDLPEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (DigitalGuardianDLPEvent)",
- "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Clients (Source IP)",
- "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "write permission is required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.",
- "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent."
- },
- {
- "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "2. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.",
- "title": "3. Check logs in Microsoft Sentinel"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Digital Guardian Data Loss Prevention",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Digital Guardian Data Loss Prevention (DLP) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Digital Guardian Data Loss Prevention (DLP) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2916,11 +2448,6 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-syslog" diff --git a/Solutions/Digital Guardian Data Loss Prevention/ReleaseNotes.md b/Solutions/Digital Guardian Data Loss Prevention/ReleaseNotes.md index 7481bc0bd82..96af27fbfb8 100644 --- a/Solutions/Digital Guardian Data Loss Prevention/ReleaseNotes.md +++ b/Solutions/Digital Guardian Data Loss Prevention/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------------------------------------| +| 3.0.2 | 26-12-2024 | Removed Deprecated **Data connector** | | 3.0.1 | 25-07-2024 | Deprecating data connectors | | 3.0.0 | 09-10-2023 | Fixed KQL validation failure in **Hunting Query** (Digital Guardian - Users incidents) | diff --git a/Solutions/RSA SecurID/Data/Solution_RSASecurID.json b/Solutions/RSA SecurID/Data/Solution_RSASecurID.json index eae867c4c21..17924b07e53 100644 --- a/Solutions/RSA SecurID/Data/Solution_RSASecurID.json +++ b/Solutions/RSA SecurID/Data/Solution_RSASecurID.json @@ -2,10 +2,7 @@ "Name": "RSA SecurID", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\")
",
- "Description": "The [RSA® SecurID Authentication Manager](https://www.securid.com) data connector provides the capability to ingest [RSA® SecurID Authentication Manager events](https://community.rsa.com/t5/rsa-authentication-manager/rsa-authentication-manager-log-messages/ta-p/630160) into Microsoft Sentinel. Refer to [RSA® SecurID Authentication Manager documentation](https://community.securid.com/t5/securid-authentication-manager/tkb-p/authentication-manager-documentation) for more information. \n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
- "Data Connectors": [
- "Data Connectors/RSASecurID.json"
- ],
+ "Description": "The [RSA® SecurID Authentication Manager](https://www.securid.com) data connector provides the capability to ingest [RSA® SecurID Authentication Manager events](https://community.rsa.com/t5/rsa-authentication-manager/rsa-authentication-manager-log-messages/ta-p/630160) into Microsoft Sentinel. Refer to [RSA® SecurID Authentication Manager documentation](https://community.securid.com/t5/securid-authentication-manager/tkb-p/authentication-manager-documentation) for more information. \n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Parsers": [
"Parsers/RSASecurIDAMEvent.yaml"
],
@@ -13,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\RSA SecurID",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/RSA SecurID/Package/3.0.1.zip b/Solutions/RSA SecurID/Package/3.0.1.zip
new file mode 100644
index 00000000000..588f0c3e12f
Binary files /dev/null and b/Solutions/RSA SecurID/Package/3.0.1.zip differ
diff --git a/Solutions/RSA SecurID/Package/createUiDefinition.json b/Solutions/RSA SecurID/Package/createUiDefinition.json
index 5c1c0f22dd1..3df663eff49 100644
--- a/Solutions/RSA SecurID/Package/createUiDefinition.json
+++ b/Solutions/RSA SecurID/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RSA%20SecurID/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [RSA® SecurID Authentication Manager](https://www.securid.com) data connector provides the capability to ingest [RSA® SecurID Authentication Manager events](https://community.rsa.com/t5/rsa-authentication-manager/rsa-authentication-manager-log-messages/ta-p/630160) into Microsoft Sentinel. Refer to [RSA® SecurID Authentication Manager documentation](https://community.securid.com/t5/securid-authentication-manager/tkb-p/authentication-manager-documentation) for more information. \n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RSA%20SecurID/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [RSA® SecurID Authentication Manager](https://www.securid.com) data connector provides the capability to ingest [RSA® SecurID Authentication Manager events](https://community.rsa.com/t5/rsa-authentication-manager/rsa-authentication-manager-log-messages/ta-p/630160) into Microsoft Sentinel. Refer to [RSA® SecurID Authentication Manager documentation](https://community.securid.com/t5/securid-authentication-manager/tkb-p/authentication-manager-documentation) for more information. \n\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for RSA SecurID. You can get RSA SecurID Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/RSA SecurID/Package/mainTemplate.json b/Solutions/RSA SecurID/Package/mainTemplate.json
index aa340371b4c..ed7e5fcf834 100644
--- a/Solutions/RSA SecurID/Package/mainTemplate.json
+++ b/Solutions/RSA SecurID/Package/mainTemplate.json
@@ -33,18 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "RSA SecurID",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-securid",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "RSASecurIDAM",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "RSASecurIDAM",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','RSASecurIDAMEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'RSASecurIDAMEvent')]",
@@ -55,387 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "RSA SecurID data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] RSA® SecurID (Authentication Manager)",
- "publisher": "RSA",
- "descriptionMarkdown": "The [RSA® SecurID Authentication Manager](https://www.securid.com/) data connector provides the capability to ingest [RSA® SecurID Authentication Manager events](https://community.rsa.com/t5/rsa-authentication-manager/rsa-authentication-manager-log-messages/ta-p/630160) into Microsoft Sentinel. Refer to [RSA® SecurID Authentication Manager documentation](https://community.rsa.com/t5/rsa-authentication-manager/getting-started-with-rsa-authentication-manager/ta-p/569582) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**RSASecurIDAMEvent**](https://aka.ms/sentinel-rsasecuridam-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "RSASecurIDAM",
- "baseQuery": "RSASecurIDAMEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Sources",
- "query": "RSASecurIDAMEvent\n | summarize count() by tostring(DvcHostname)\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (RSASecurIDAMEvent)",
- "lastDataReceivedQuery": "RSASecurIDAMEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "RSASecurIDAMEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**RSASecurIDAMEvent**](https://aka.ms/sentinel-rsasecuridam-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using RSA SecurID Authentication Manager version: 8.4 and 8.5"
- },
- {
- "description": "Install the agent on the Server where the RSA® SecurID Authentication Manager logs are forwarded.\n\n> Logs from RSA® SecurID Authentication Manager Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Follow the configuration steps below to get RSA® SecurID Authentication Manager logs into Microsoft Sentinel.\n1. [Follow these instructions](https://community.rsa.com/t5/rsa-authentication-manager/configure-the-remote-syslog-host-for-real-time-log-monitoring/ta-p/571374) to forward alerts from the Manager to a syslog server.",
- "title": "2. Configure RSA® SecurID Authentication Manager event forwarding"
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "RSA SecurID",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] RSA® SecurID (Authentication Manager)",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "RSA SecurID",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] RSA® SecurID (Authentication Manager)",
- "publisher": "RSA",
- "descriptionMarkdown": "The [RSA® SecurID Authentication Manager](https://www.securid.com/) data connector provides the capability to ingest [RSA® SecurID Authentication Manager events](https://community.rsa.com/t5/rsa-authentication-manager/rsa-authentication-manager-log-messages/ta-p/630160) into Microsoft Sentinel. Refer to [RSA® SecurID Authentication Manager documentation](https://community.rsa.com/t5/rsa-authentication-manager/getting-started-with-rsa-authentication-manager/ta-p/569582) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "RSASecurIDAM",
- "baseQuery": "RSASecurIDAMEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "Syslog (RSASecurIDAMEvent)",
- "lastDataReceivedQuery": "RSASecurIDAMEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "RSASecurIDAMEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Sources",
- "query": "RSASecurIDAMEvent\n | summarize count() by tostring(DvcHostname)\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "delete": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**RSASecurIDAMEvent**](https://aka.ms/sentinel-rsasecuridam-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using RSA SecurID Authentication Manager version: 8.4 and 8.5"
- },
- {
- "description": "Install the agent on the Server where the RSA® SecurID Authentication Manager logs are forwarded.\n\n> Logs from RSA® SecurID Authentication Manager Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Linux agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Linux Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Linux Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnLinuxNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "1. Install and onboard the agent for Linux or Windows"
- },
- {
- "instructions": [
- {
- "parameters": {
- "title": "Choose where to install the Windows agent:",
- "instructionSteps": [
- {
- "title": "Install agent on Azure Windows Virtual Machine",
- "description": "Select the machine to install the agent on and then click **Connect**.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnVirtualMachine"
- },
- "type": "InstallAgent"
- }
- ]
- },
- {
- "title": "Install agent on a non-Azure Windows Machine",
- "description": "Download the agent on the relevant machine and follow the instructions.",
- "instructions": [
- {
- "parameters": {
- "linkType": "InstallAgentOnNonAzure"
- },
- "type": "InstallAgent"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Follow the configuration steps below to get RSA® SecurID Authentication Manager logs into Microsoft Sentinel.\n1. [Follow these instructions](https://community.rsa.com/t5/rsa-authentication-manager/configure-the-remote-syslog-host-for-real-time-log-monitoring/ta-p/571374) to forward alerts from the Manager to a syslog server.",
- "title": "2. Configure RSA® SecurID Authentication Manager event forwarding"
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**RSASecurIDAMEvent**](https://aka.ms/sentinel-rsasecuridam-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -445,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RSASecurIDAMEvent Data Parser with template version 3.0.0",
+ "description": "RSASecurIDAMEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -573,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "RSA SecurID",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe RSA® SecurID Authentication Manager data connector provides the capability to ingest RSA® SecurID Authentication Manager events into Microsoft Sentinel. Refer to RSA® SecurID Authentication Manager documentation for more information.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe RSA® SecurID Authentication Manager data connector provides the capability to ingest RSA® SecurID Authentication Manager events into Microsoft Sentinel. Refer to RSA® SecurID Authentication Manager documentation for more information.
\nThis solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -602,11 +212,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/RSA SecurID/ReleaseNotes.md b/Solutions/RSA SecurID/ReleaseNotes.md index 0f063138c3f..62d1cedde6f 100644 --- a/Solutions/RSA SecurID/ReleaseNotes.md +++ b/Solutions/RSA SecurID/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| -| 3.0.0 | 01-08-2024 |Update **Parser** as part of Syslog migration | -| | |Deprecating data connectors | +| 3.0.1 | 26-12-2024 | Removed Deprecated **Data connector** | +| 3.0.0 | 01-08-2024 |Update **Parser** as part of Syslog migration | +| | |Deprecating data connectors |