forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNXLogLinuxAudit.json
111 lines (111 loc) · 4.42 KB
/
NXLogLinuxAudit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
{
"id": "NXLogLinuxAudit",
"title": "NXLog LinuxAudit",
"publisher": "NXLog",
"descriptionMarkdown": "The NXLog [LinuxAudit](https://nxlog.co/documentation/nxlog-user-guide/im_linuxaudit.html) data connector supports custom audit rules and collects logs without auditd or any other user-space software. IP addresses and group/user ids are resolved to their respective names making [Linux audit](https://nxlog.co/documentation/nxlog-user-guide/linux-audit.html) logs more intelligible to security analysts. This REST API connector can efficiently export Linux security events to Azure Sentinel in real-time.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "LinuxAudit_CL",
"baseQuery": "LinuxAudit_CL"
}
],
"sampleQueries": [
{
"description" : "Most frequent type",
"query": "LinuxAudit_CL\n| summarize EventCount = count() by type_s \n| where strlen(type_s) > 1 \n| render barchart"
},
{
"description" : "Most frequent comm",
"query": "LinuxAudit_CL\n| summarize EventCount = count() by comm_s\n| where strlen(comm_s) > 1\n| render barchart"
},
{
"description" : "Most frequent name",
"query": "LinuxAudit_CL\n| summarize EventCount = count() by name_s\n| where strlen(name_s) > 1\n| render barchart"
}
],
"dataTypes": [
{
"name": "LinuxAudit_CL",
"lastDataReceivedQuery": "LinuxAudit_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"LinuxAudit_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
],
"metadata": {
"id": "3969d734-ab64-44fe-ac9b-73d758e0e814",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "NXLog"
},
"support": {
"name": "NXLog",
"link": "https://nxlog.co/community-forum",
"tier": "developer"
}
}
}