forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNXLogBSMmacOS.json
95 lines (95 loc) · 4.03 KB
/
NXLogBSMmacOS.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{
"id": "NXLogBSMmacOS",
"title": "NXLog BSM macOS",
"publisher": "NXLog",
"descriptionMarkdown": "The NXLog [BSM](https://nxlog.co/documentation/nxlog-user-guide/im_bsm.html) macOS data connector uses Sun's Basic Security Module (BSM) Auditing API to read events directly from the kernel for capturing audit events on the macOS platform. This REST API connector can efficiently export macOS audit events to Azure Sentinel in real-time.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "BSMmacOS_CL",
"baseQuery": "BSMmacOS_CL"
}
],
"sampleQueries": [
{
"description" : "Most frequent event types",
"query": "BSMmacOS_CL\n| summarize EventCount = count() by EventType_s\n| where strlen(EventType_s) > 1\n| project Eventype = EventType_s, EventCount\n| order by EventCount desc\n| render barchart"
},
{
"description" : "Most frequent event names",
"query": "BSMmacOS_CL\n| summarize EventCount = count() by EventName_s\n| project EventCount, EventName = EventName_s\n| where strlen(EventName) > 1\n| order by EventCount desc\n| render barchart"
},
{
"description" : "Distribution of (notification) texts",
"query": "BSMmacOS_CL\n| summarize EventCount = count() by Text_s\n| where strlen(Text_s) > 1\n| order by EventCount\n| render piechart"
}
],
"dataTypes": [
{
"name": "BSMmacOS_CL",
"lastDataReceivedQuery": "BSMmacOS_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"BSMmacOS_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}