Linux and Untangle Support

%3CLINGO-SUB%20id%3D%22lingo-sub-2279718%22%20slang%3D%22en-US%22%3ELinux%20and%20Untangle%20Support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279718%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20conducting%20tests%20regarding%20Azure%20Sentinel's%20features%20and%20wanted%20to%20clarify%20some%20points.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ERegarding%20Syslog%20for%20Linux%20devices%2C%20it%20only%20seems%20that%2011%20preconfigured%20analytic%20templates%20come%20pre-built%20with%20Sentinel%2C%20is%20there%20a%20way%20to%20have%20more%20%3F%20In%20order%20to%20cover%20more%20of%20the%20possible%20issues%20%2F%20alerts%20such%20as%20Privilege%20Escalation%2C%20Logs%20cleared%2C%20Credential%20acquisition%2C%20port%20forwarding...%3C%2FLI%3E%3CLI%3EIf%20we%20want%20to%20monitor%20firewalls%20that%20do%20not%20have%20a%20connector%20pre-built%20in%20Sentinel%20such%20as%20Untangle%20Firewall%2C%20what%20are%20the%20required%20steps%20to%20follow%20%3F%20Is%20there%20any%20parsing%20needed%20to%20be%20done%20from%20a%20side%20%3F%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281213%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20and%20Untangle%20Support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281213%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1026903%22%20target%3D%22_blank%22%3E%40kofeiche_exeo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Some%20places%20I%20use%2C%20in%20no%20particular%20order%2C%20and%20please%20do%20your%20own%20diligence%20as%20these%20are%20not%20Microsoft%26nbsp%3B%20sites%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftdm.socprime.com%2Flogin%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ESOC%20Prime%20Threat%20Detection%20Marketplace%20(TDM)%20-%20Join%20for%20Free%3C%2FA%3E%26nbsp%3B%20(just%20use%20a%20Enterprise%20email%20to%20create%20a%20free%20account)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FKQL%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%20-%20wortell%2FKQL%3A%20KQL%20queries%20for%20Advanced%20Hunting%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FBlueTeamLabs%2Fsentinel-attack%2Ftree%2Fmaster%2Fdetections%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esentinel-attack%2Fdetections%20at%20master%20%C2%B7%20BlueTeamLabs%2Fsentinel-attack%20%C2%B7%20GitHub%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E2.%20So%20please%20try%20the%20Syslog%20connector.%26nbsp%3B%20Hopefully%20you%20wont%20need%20a%20parser%20for%20this%20data%20source.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281172%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20and%20Untangle%20Support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281172%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDear%2C%20thank%20you%20for%20your%20response%20!%3C%2FP%3E%3CUL%3E%3CLI%3EFor%20the%20first%20point%2C%20that's%20exactly%20what%20I'm%20searching%20for%20in%20fact%2C%20if%20you%20know%20more%20websites%20or%20git%20repos%20that%20have%20query%2Frules%20examples%20covering%20many%20basic%20and%20advanced%20detection%20please%20let%20me%20know.%3C%2FLI%3E%3CLI%3EFor%20Untangle%2C%20yes%20it's%20formatted%20in%20syslog%20yes.%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2279903%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20and%20Untangle%20Support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279903%22%20slang%3D%22en-US%22%3E1.%20There%20are%20a%20few%20extra%20Detections%20in%20the%20Github%20and%20you%20can%20author%20your%20own%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDetections%2FSyslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDetections%2FSyslog%3C%2FA%3E%20you%20can%20even%20post%20them%20back%20to%20the%20Github%20for%20others%20to%20use.%203rd%20party%20sites%20like%20SOC%20Prime%20and%20other%20Githubs%20have%20lots%20of%20examples%20%3CA%20href%3D%22https%3A%2F%2Ftdm.socprime.com%2Flogin%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftdm.socprime.com%2Flogin%2F%3C%2FA%3E%20%3CBR%20%2F%3E2.%20How%20does%20Untangle%20log%20its%20data%2C%20if%20Syslog%20or%20CEF%20you%20can%20use%20those%20connectors%2C%20if%20api%20you%20may%20need%20to%20use%20a%20Playbook%2C%20if%20a%20file%2C%20the%20Customlog%20is%20an%20option%3F%20Example%20parsers%20for%20other%20products%20(and%20data%20connectors)%20are%20all%20in%20te%20Github%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FParsers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FParsers%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello all,

 

We're conducting tests regarding Azure Sentinel's features and wanted to clarify some points.

 

  • Regarding Syslog for Linux devices, it only seems that 11 preconfigured analytic templates come pre-built with Sentinel, is there a way to have more ? In order to cover more of the possible issues / alerts such as Privilege Escalation, Logs cleared, Credential acquisition, port forwarding...
  • If we want to monitor firewalls that do not have a connector pre-built in Sentinel such as Untangle Firewall, what are the required steps to follow ? Is there any parsing needed to be done from a side ?
3 Replies
1. There are a few extra Detections in the Github and you can author your own https://github.com/Azure/Azure-Sentinel/tree/master/Detections/Syslog you can even post them back to the Github for others to use. 3rd party sites like SOC Prime and other Githubs have lots of examples https://tdm.socprime.com/login/
2. How does Untangle log its data, if Syslog or CEF you can use those connectors, if api you may need to use a Playbook, if a file, the Customlog is an option? Example parsers for other products (and data connectors) are all in te Github https://github.com/Azure/Azure-Sentinel/tree/master/Parsers

@Clive Watson 

 

Dear, thank you for your response !

  • For the first point, that's exactly what I'm searching for in fact, if you know more websites or git repos that have query/rules examples covering many basic and advanced detection please let me know.
  • For Untangle, yes it's formatted in syslog yes. 

@kofeiche_exeo 

 

1. Some places I use, in no particular order, and please do your own diligence as these are not Microsoft  sites: 

2. So please try the Syslog connector.  Hopefully you wont need a parser for this data source.