diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml index 9dc6caffe95..2da2a89b350 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CrowdStrikeFalconEndpointProtection - dataTypes: - - CommonSecurityLog - - connectorId: CrowdStrikeFalconEndpointProtectionAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -18,8 +12,8 @@ queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 -tactics: -relevantTechniques: +tactics: [] +relevantTechniques: [] query: | let timeframe = 1h; let threshold = 15; // update threshold value based on organization's preference @@ -55,5 +49,5 @@ entityMappings: columnName: FileHashAlgo - identifier: Value columnName: FileHashCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml index 6a9d25bea3c..8b4f91261c5 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CrowdStrikeFalconEndpointProtection - dataTypes: - - CommonSecurityLog - - connectorId: CrowdStrikeFalconEndpointProtectionAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -18,8 +12,8 @@ queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 -tactics: -relevantTechniques: +tactics: [] +relevantTechniques: [] query: | let timeframe = 1h; CrowdStrikeFalconEventStream @@ -47,5 +41,5 @@ entityMappings: columnName: FileHashAlgo - identifier: Value columnName: FileHashCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json index b5094eeb4e3..3203e692f6b 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json @@ -5,9 +5,7 @@ "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", "Data Connectors": [ "Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json", - "Data Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json", "Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json", - "Data Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json", "Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json" ], "Parsers": [ @@ -31,7 +29,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection", - "Version": "3.0.8", + "Version": "3.0.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip index d32e8ab47c7..c33daac9077 100644 Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json index eff61427415..02bd9cc1667 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 5, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -66,26 +66,12 @@ { "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors3-text", - "type": "Microsoft.Common.TextBlock", "options": { "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { - "name": "dataconnectors4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors5-text", + "name": "dataconnectors3-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json index e2dfe2ef379..fd1a26eaca1 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json @@ -53,42 +53,24 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "CrowdStrikeFalconEndpointProtection", + "uiConfigId2": "CrowdstrikeReplicatorv2", "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "CrowdStrikeFalconEndpointProtection", + "dataConnectorContentId2": "CrowdstrikeReplicatorv2", "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", "_dataConnectorId2": "[variables('dataConnectorId2')]", "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", + "dataConnectorVersion2": "1.0.1", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", - "uiConfigId3": "CrowdstrikeReplicatorv2", + "uiConfigId3": "CrowdStrikeFalconAdversaryIntelligence", "_uiConfigId3": "[variables('uiConfigId3')]", - "dataConnectorContentId3": "CrowdstrikeReplicatorv2", + "dataConnectorContentId3": "CrowdStrikeFalconAdversaryIntelligence", "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", "_dataConnectorId3": "[variables('dataConnectorId3')]", "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", - "dataConnectorVersion3": "1.0.1", + "dataConnectorVersion3": "1.0.0", "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", - "uiConfigId4": "CrowdStrikeFalconEndpointProtectionAma", - "_uiConfigId4": "[variables('uiConfigId4')]", - "dataConnectorContentId4": "CrowdStrikeFalconEndpointProtectionAma", - "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", - "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", - "_dataConnectorId4": "[variables('dataConnectorId4')]", - "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", - "dataConnectorVersion4": "1.0.0", - "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", - "uiConfigId5": "CrowdStrikeFalconAdversaryIntelligence", - "_uiConfigId5": "[variables('uiConfigId5')]", - "dataConnectorContentId5": "CrowdStrikeFalconAdversaryIntelligence", - "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]", - "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", - "_dataConnectorId5": "[variables('dataConnectorId5')]", - "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]", - "dataConnectorVersion5": "1.0.0", - "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','CrowdStrikeFalconEventStream Data Parser')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CrowdStrikeFalconEventStream Data Parser')]", @@ -118,18 +100,18 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.3", + "analyticRuleVersion1": "1.0.4", "_analyticRulecontentId1": "4465ebde-b381-45f7-ad08-7d818070a11c", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4465ebde-b381-45f7-ad08-7d818070a11c')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4465ebde-b381-45f7-ad08-7d818070a11c')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4465ebde-b381-45f7-ad08-7d818070a11c','-', '1.0.3')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4465ebde-b381-45f7-ad08-7d818070a11c','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "f7d298b2-726c-42a5-bbac-0d7f9950f527", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f7d298b2-726c-42a5-bbac-0d7f9950f527')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f7d298b2-726c-42a5-bbac-0d7f9950f527')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7d298b2-726c-42a5-bbac-0d7f9950f527','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7d298b2-726c-42a5-bbac-0d7f9950f527','-', '1.0.4')))]" }, "CrowdStrike_Base": "CrowdStrike_Base", "_CrowdStrike_Base": "[variables('CrowdStrike_Base')]", @@ -536,774 +518,73 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" - }, - { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.", - "title": "2. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" - }, - { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.", - "title": "2. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId3')]", - "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", - "publisher": "Crowdstrike", - "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeReplicatorV2", - "baseQuery": "CrowdStrikeReplicatorV2" - } - ], - "sampleQueries": [ - { - "description": "Data Replicator - All Activities", - "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "CrowdStrike_Additional_Events_CL", - "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimNetworkSessionLogs", - "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimDnsActivityLogs", - "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuditEventLogs", - "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimFileEventLogs", - "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuthenticationEventLogs", - "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimProcessEventLogs", - "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimRegistryEventLogs", - "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimUserManagementActivityLogs", - "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CrowdStrike_Secondary_Data_CL", - "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "SQS and AWS S3 account credentials/permissions", - "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", - "title": "Prerequisites" - }, - { - "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", - "title": "Deployment Options" - }, - { - "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." - }, - { - "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." - }, - { - "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." - } - ], - "metadata": { - "version": "1.0.1" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "contentId": "[variables('_dataConnectorContentId3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion3')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId3')]", - "contentKind": "DataConnector", - "displayName": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId3')]", - "id": "[variables('_dataConnectorcontentProductId3')]", - "version": "[variables('dataConnectorVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId3')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "contentId": "[variables('_dataConnectorContentId3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion3')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", - "publisher": "Crowdstrike", - "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeReplicatorV2", - "baseQuery": "CrowdStrikeReplicatorV2" - } - ], - "dataTypes": [ - { - "name": "CrowdStrike_Additional_Events_CL", - "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimNetworkSessionLogs", - "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimDnsActivityLogs", - "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuditEventLogs", - "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimFileEventLogs", - "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuthenticationEventLogs", - "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimProcessEventLogs", - "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimRegistryEventLogs", - "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimUserManagementActivityLogs", - "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CrowdStrike_Secondary_Data_CL", - "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " - ] - } - ], - "sampleQueries": [ - { - "description": "Data Replicator - All Activities", - "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "SQS and AWS S3 account credentials/permissions", - "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", - "title": "Prerequisites" - }, - { - "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", - "title": "Deployment Options" - }, - { - "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." - }, - { - "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." - }, - { - "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." - } - ], - "id": "[variables('_uiConfigId3')]", - "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser)." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId4')]", - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", + "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", + "publisher": "Crowdstrike", + "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).", "graphQueries": [ { "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + "legend": "CrowdStrikeReplicatorV2", + "baseQuery": "CrowdStrikeReplicatorV2" } ], "sampleQueries": [ { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" + "description": "Data Replicator - All Activities", + "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "CrowdStrike_Additional_Events_CL", + "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimNetworkSessionLogs", + "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimDnsActivityLogs", + "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuditEventLogs", + "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimFileEventLogs", + "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuthenticationEventLogs", + "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimProcessEventLogs", + "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" + "name": "ASimRegistryEventLogs", + "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimUserManagementActivityLogs", + "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "CrowdStrike_Secondary_Data_CL", + "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " ] } ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], "availability": { "status": 1, "isPreview": false @@ -1312,12 +593,12 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "read and write permissions on the workspace are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "read": true, "write": true, + "read": true, "delete": true } }, @@ -1333,65 +614,60 @@ ], "customs": [ { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." }, { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + "name": "SQS and AWS S3 account credentials/permissions", + "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." } ] }, "instructionSteps": [ { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent", - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", + "title": "Prerequisites" + }, + { + "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", + "title": "Deployment Options" + }, + { + "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." + }, + { + "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " + "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." } - ] + ], + "metadata": { + "version": "1.0.1" + } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", - "contentId": "[variables('_dataConnectorContentId4')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion4')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1416,27 +692,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId4')]", + "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", - "displayName": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId4')]", - "id": "[variables('_dataConnectorcontentProductId4')]", - "version": "[variables('dataConnectorVersion4')]" + "displayName": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ - "[variables('_dataConnectorId4')]" + "[variables('_dataConnectorId2')]" ], "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", - "contentId": "[variables('_dataConnectorContentId4')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion4')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1455,45 +731,77 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", + "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", + "publisher": "Crowdstrike", + "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", "graphQueries": [ { "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + "legend": "CrowdStrikeReplicatorV2", + "baseQuery": "CrowdStrikeReplicatorV2" } ], "dataTypes": [ { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "CrowdStrike_Additional_Events_CL", + "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimNetworkSessionLogs", + "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimDnsActivityLogs", + "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuditEventLogs", + "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimFileEventLogs", + "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuthenticationEventLogs", + "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimProcessEventLogs", + "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimRegistryEventLogs", + "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimUserManagementActivityLogs", + "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "CrowdStrike_Secondary_Data_CL", + "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " ] } ], "sampleQueries": [ { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" - }, - { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" + "description": "Data Replicator - All Activities", + "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" } ], "availability": { @@ -1504,12 +812,12 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "read and write permissions on the workspace are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "read": true, "write": true, + "read": true, "delete": true } }, @@ -1525,62 +833,54 @@ ], "customs": [ { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." }, { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + "name": "SQS and AWS S3 account credentials/permissions", + "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." } ] }, "instructionSteps": [ { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent", - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", + "title": "Prerequisites" + }, + { + "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", + "title": "Deployment Options" + }, + { + "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." + }, + { + "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " + "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." } ], - "id": "[variables('_uiConfigId4')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." + "id": "[variables('_uiConfigId2')]", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser)." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName5')]", + "name": "[variables('dataConnectorTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1589,19 +889,19 @@ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion5')]", + "contentVersion": "[variables('dataConnectorVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "id": "[variables('_uiConfigId5')]", + "id": "[variables('_uiConfigId3')]", "title": "CrowdStrike Falcon Adversary Intelligence (using Azure Functions)", "publisher": "CrowdStrike", "descriptionMarkdown": "The [CrowdStrike](https://www.crowdstrike.com/) Falcon Indicators of Compromise connector retrieves the Indicators of Compromise from the Falcon Intel API and uploads them [Microsoft Sentinel Threat Intel](https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence).", @@ -1718,12 +1018,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", - "contentId": "[variables('_dataConnectorContentId5')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion5')]", + "version": "[variables('dataConnectorVersion3')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1748,27 +1048,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId5')]", + "contentId": "[variables('_dataConnectorContentId3')]", "contentKind": "DataConnector", "displayName": "CrowdStrike Falcon Adversary Intelligence (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId5')]", - "id": "[variables('_dataConnectorcontentProductId5')]", - "version": "[variables('dataConnectorVersion5')]" + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", "dependsOn": [ - "[variables('_dataConnectorId5')]" + "[variables('_dataConnectorId3')]" ], "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", - "contentId": "[variables('_dataConnectorContentId5')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion5')]", + "version": "[variables('dataConnectorVersion3')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1787,7 +1087,7 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", @@ -1904,7 +1204,7 @@ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCROWDSTRIKE_CLIENT_ID\n\t\tCROWDSTRIKE_CLIENT_SECRET\n\t\tCROWDSTRIKE_BASE_URL\n\t\tTENANT_ID\n\t\tINDICATORS\n\t\tWorkspaceKey\n\t\tAAD_CLIENT_ID\n\t\tAAD_CLIENT_SECRET \n\t\tLOOK_BACK_DAYS \n\t\tWORKSPACE_ID \n4. Once all application settings have been entered, click **Save**." } ], - "id": "[variables('_uiConfigId5')]" + "id": "[variables('_uiConfigId3')]" } } }, @@ -2428,18 +1728,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CommonSecurityLog" - ], - "connectorId": "CrowdStrikeFalconEndpointProtection" - }, - { - "dataTypes": [ - "CommonSecurityLog" - ], - "connectorId": "CrowdStrikeFalconEndpointProtectionAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -2569,18 +1857,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CommonSecurityLog" - ], - "connectorId": "CrowdStrikeFalconEndpointProtection" - }, - { - "dataTypes": [ - "CommonSecurityLog" - ], - "connectorId": "CrowdStrikeFalconEndpointProtectionAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -5635,7 +4911,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "CrowdStrike Falcon Endpoint Protection", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 5, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 4, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -5674,16 +4950,6 @@ "contentId": "[variables('_dataConnectorContentId3')]", "version": "[variables('dataConnectorVersion3')]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId4')]", - "version": "[variables('dataConnectorVersion4')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId5')]", - "version": "[variables('dataConnectorVersion5')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md index de279d00023..3d0963325d2 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md @@ -1,7 +1,8 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| -| 3.0.9 | 20-09-2024 | Updated the python runtime version to 3.11 | -| 3.0.8 | 10-07-2024 | Deprecated **Data Connector** | +| 3.0.9 | 12-11-2024 | Removed deprecated data connectors | +| | | Updated the python runtime version to 3.11 | +| 3.0.8 | 10-07-2024 | Deprecated **Data Connector** | | 3.0.7 | 20-06-2024 | Shortlinks updated for **Data Connector** CrowdStrike Falcon Indicators of Compromise | | 3.0.6 | 06-06-2024 | Renamed **Data Connector** *CrowdStrike Falcon Indicators of Compromise* to *CrowdStrike Falcon Adversary Intelligence* | | 3.0.5 | 30-05-2024 | Added new Function App **Data Connector** CrowdStrike Falcon Indicators of Compromise | diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json index ec83126984b..3b7995cf2f7 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "", "Description": "Gain insight into your organization's network and improve your security operation capabilities with the [Fortinet FortiGate Next-generation Firewall](https://www.fortinet.com/products/next-generation-firewall) Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation. \n\n Playbooks are included to help in automated remediation \n\n For questions about [FortiGate](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet_fortigate-vm_v5?tab=Overview), please contact Fortinet at [azuresales@fortinet.com](mailto:azuresales@fortinet.com).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Data Connectors/Fortinet-FortiGate.json", - "Data Connectors/template_Fortinet-FortiGateAma.json" - ], "Playbooks": [ "Playbooks/FortinetFortigateFunctionApp/azuredeploy.json", "Playbooks/FortinetCustomConnector/azuredeploy.json", @@ -21,7 +17,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "Version": "3.0.6", + "Version": "3.0.7", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/3.0.7.zip b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/3.0.7.zip new file mode 100644 index 00000000000..22f9405089b Binary files /dev/null and b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/3.0.7.zip differ diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json index 3d36e030742..a683207bed8 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Fortinet%20FortiGate%20Next-Generation%20Firewall%20connector%20for%20Microsoft%20Sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nGain insight into your organization's network and improve your security operation capabilities with the [Fortinet FortiGate Next-generation Firewall](https://www.fortinet.com/products/next-generation-firewall) Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation. \n\n Playbooks are included to help in automated remediation \n\n For questions about [FortiGate](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet_fortigate-vm_v5?tab=Overview), please contact Fortinet at [azuresales@fortinet.com](mailto:azuresales@fortinet.com).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Custom Azure Logic Apps Connectors:** 1, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Fortinet%20FortiGate%20Next-Generation%20Firewall%20connector%20for%20Microsoft%20Sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nGain insight into your organization's network and improve your security operation capabilities with the [Fortinet FortiGate Next-generation Firewall](https://www.fortinet.com/products/next-generation-firewall) Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation. \n\n Playbooks are included to help in automated remediation \n\n For questions about [FortiGate](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet_fortigate-vm_v5?tab=Overview), please contact Fortinet at [azuresales@fortinet.com](mailto:azuresales@fortinet.com).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Workbooks:** 1, **Custom Azure Logic Apps Connectors:** 1, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel. You can get Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json index 7dc0b9e16eb..bab28c10f6b 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json @@ -41,27 +41,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "_solutionVersion": "3.0.6", + "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "Fortinet", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Fortinet", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "FortinetAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "FortinetAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "FortinetFortigateFunctionApp": "FortinetFortigateFunctionApp", "_FortinetFortigateFunctionApp": "[variables('FortinetFortigateFunctionApp')]", "playbookVersion1": "1.0", @@ -112,798 +94,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel data connector with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Fortinet via Legacy Agent", - "publisher": "Fortinet", - "logo": "FortinetLogo.svg", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py &&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ], - "title": "2. Forward Fortinet logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py &&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "19ecaeff-8959-4cb8-a11e-a150ecd5a494", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Fortinet" - }, - "support": { - "name": "Fortinet", - "link": "https://www.fortinet.com/support/contact", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Fortinet via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Fortinet via Legacy Agent", - "publisher": "Fortinet", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py &&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ], - "title": "2. Forward Fortinet logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py &&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel data connector with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Fortinet via AMA", - "publisher": "Fortinet", - "logo": "FortinetLogo.svg", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Fortinet logs to Syslog agent", - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "19ecaeff-8959-4cb8-a11e-a150ecd5a494", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Fortinet" - }, - "support": { - "name": "Fortinet", - "link": "https://www.fortinet.com/support/contact", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Fortinet via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Fortinet via AMA", - "publisher": "Fortinet", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Fortinet logs to Syslog agent", - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -913,7 +103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FortinetFortigateFunctionApp Playbook with template version 3.0.6", + "description": "FortinetFortigateFunctionApp Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1024,11 +214,11 @@ "appSettings": [ { "name": "AzureWebJobsStorage", - "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]" + "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" }, { "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", - "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]" + "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" }, { "name": "WEBSITE_CONTENTSHARE", @@ -1192,7 +382,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FortinetCustomConnector Playbook with template version 3.0.6", + "description": "FortinetCustomConnector Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -2801,7 +1991,7 @@ ], "metadata": { "comments": "This Fortinet custom connector uses Fortinet-Fortigate API to perform different actions on Forinet VM", - "lastUpdateTime": "2024-08-22T10:53:14.293Z", + "lastUpdateTime": "2024-11-11T16:34:06.399Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -2833,7 +2023,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet-FortiGate-IPEnrichment Playbook with template version 3.0.6", + "description": "Fortinet-FortiGate-IPEnrichment Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -6286,10 +5476,7 @@ "type": "Microsoft.Logic/workflows", "location": "[[variables('workspace-location-inline')]", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('User Identifier Name'))]": {} - } + "type": "UserAssigned" }, "apiVersion": "2016-06-01", "tags": { @@ -6396,7 +5583,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet-FortiGate-ResponseOnBlockIP Playbook with template version 3.0.6", + "description": "Fortinet-FortiGate-ResponseOnBlockIP Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6515,10 +5702,7 @@ "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('User Identifier Name'))]": {} - } + "type": "UserAssigned" }, "dependsOn": [ "[[resourceId('Microsoft.Web/connections', variables('FortinetConnectorConnectionName'))]", @@ -10482,7 +9666,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet-FortiGate-ResponseOnBlockURL Playbook with template version 3.0.6", + "description": "Fortinet-FortiGate-ResponseOnBlockURL Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -12091,7 +11275,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortigate Workbook with template version 3.0.6", + "description": "Fortigate Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -12147,10 +11331,6 @@ "contentId": "CommonSecurityLog", "kind": "DataType" }, - { - "contentId": "Fortinet", - "kind": "DataConnector" - }, { "contentId": "CefAma", "kind": "DataConnector" @@ -12179,12 +11359,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Gain insight into your organization's network and improve your security operation capabilities with the Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation.

\n

Playbooks are included to help in automated remediation

\n

For questions about FortiGate, please contact Fortinet at azuresales@fortinet.com.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Function Apps: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Gain insight into your organization's network and improve your security operation capabilities with the Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation.

\n

Playbooks are included to help in automated remediation

\n

For questions about FortiGate, please contact Fortinet at azuresales@fortinet.com.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connector: 1,Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Function Apps: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -12208,16 +11388,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "AzureFunction", "contentId": "[variables('_FortinetFortigateFunctionApp')]", diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md index 43c087e94b8..a5dd7855c87 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------------------------------------------| +| 3.0.7 | 11-11-2024 |Removed Deprecated data connectors | | 3.0.6 | 22-08-2024 |Deprecated data connectors | | 3.0.5 | 05-04-2024 |Workbook queries are optimized to fix timeout issues | | 3.0.4 | 29-01-2024 |Classic app insights to Log analytics | diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 5b137d727b8..c452beca764 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -364,7 +364,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Fortinet", "CefAma" ], "previewImagesFileNames": [ @@ -1328,7 +1327,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Fortinet" + "CefAma" ], "previewImagesFileNames": [ "workbook-iotassetdiscovery-screenshot-Black.PNG", @@ -5525,7 +5524,6 @@ "Corelight", "AIVectraStream", "CheckPoint", - "Fortinet", "CiscoMeraki", "CefAma" ],