Forum Discussion
Linux and Untangle Support
Hello all,
We're conducting tests regarding Azure Sentinel's features and wanted to clarify some points.
- Regarding Syslog for Linux devices, it only seems that 11 preconfigured analytic templates come pre-built with Sentinel, is there a way to have more ? In order to cover more of the possible issues / alerts such as Privilege Escalation, Logs cleared, Credential acquisition, port forwarding...
- If we want to monitor firewalls that do not have a connector pre-built in Sentinel such as Untangle Firewall, what are the required steps to follow ? Is there any parsing needed to be done from a side ?
4 Replies
- Is it possible to add firewall rules in untangle via xml using API?
- 1. There are a few extra Detections in the Github and you can author your own https://github.com/Azure/Azure-Sentinel/tree/master/Detections/Syslog you can even post them back to the Github for others to use. 3rd party sites like SOC Prime and other Githubs have lots of examples https://tdm.socprime.com/login/
2. How does Untangle log its data, if Syslog or CEF you can use those connectors, if api you may need to use a Playbook, if a file, the Customlog is an option? Example parsers for other products (and data connectors) are all in te Github https://github.com/Azure/Azure-Sentinel/tree/master/ParsersDear, thank you for your response !
- For the first point, that's exactly what I'm searching for in fact, if you know more websites or git repos that have query/rules examples covering many basic and advanced detection please let me know.
- For Untangle, yes it's formatted in syslog yes.
1. Some places I use, in no particular order, and please do your own diligence as these are not Microsoft sites:
- SOC Prime Threat Detection Marketplace (TDM) - Join for Free (just use a Enterprise email to create a free account)
- GitHub - wortell/KQL: KQL queries for Advanced Hunting
- sentinel-attack/detections at master · BlueTeamLabs/sentinel-attack · GitHub
2. So please try the Syslog connector. Hopefully you wont need a parser for this data source.
