Linux and Untangle Support

New Contributor

Hello all,

 

We're conducting tests regarding Azure Sentinel's features and wanted to clarify some points.

 

  • Regarding Syslog for Linux devices, it only seems that 11 preconfigured analytic templates come pre-built with Sentinel, is there a way to have more ? In order to cover more of the possible issues / alerts such as Privilege Escalation, Logs cleared, Credential acquisition, port forwarding...
  • If we want to monitor firewalls that do not have a connector pre-built in Sentinel such as Untangle Firewall, what are the required steps to follow ? Is there any parsing needed to be done from a side ?
3 Replies
1. There are a few extra Detections in the Github and you can author your own https://github.com/Azure/Azure-Sentinel/tree/master/Detections/Syslog you can even post them back to the Github for others to use. 3rd party sites like SOC Prime and other Githubs have lots of examples https://tdm.socprime.com/login/
2. How does Untangle log its data, if Syslog or CEF you can use those connectors, if api you may need to use a Playbook, if a file, the Customlog is an option? Example parsers for other products (and data connectors) are all in te Github https://github.com/Azure/Azure-Sentinel/tree/master/Parsers

@CliveWatson 

 

Dear, thank you for your response !

  • For the first point, that's exactly what I'm searching for in fact, if you know more websites or git repos that have query/rules examples covering many basic and advanced detection please let me know.
  • For Untangle, yes it's formatted in syslog yes. 

@kofeiche_exeo 

 

1. Some places I use, in no particular order, and please do your own diligence as these are not Microsoft  sites: 

2. So please try the Syslog connector.  Hopefully you wont need a parser for this data source.