Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Pulse secure VPN Syslog Log attributes

Copper Contributor

Hello Team,

 

We are new to sentinel, and we have integrated Pulse secure VPN logs to our sentinel through syslog and we see some logs coming in. We would like to know the below:

1) We are seeing very minimal attributes in the logs, please refer to the screen shot below. How to enable additional attributes?

2) We are trying to see if we have most common rules enabled like multiple logon failures. Etc. Which we do not see anywhere. Is there a way to enable those rules or download them or website which helps us to write the rules?

3) We are using FortiSIEM as our SIEM, is there a way we can translate the rules from FortiSIEM to sentinel KQL language? Any third-party software which transforms XML format to KQL query without errors? We are ready to buy.  Also is there any consulting team who can help us?

4) We have also set up a Linux server and installed AMA on it to send Syslog to Sentinel.

 

Artham_Harish_0-1699956836026.png

Thank you.

1 Reply
1. Often you need to Parse the results - "Syslog message" contains more data, that you need to spilt into extra columns - please see a previous answer: https://learn.microsoft.com/en-us/answers/questions/689933/how-to-parse-extract-data-that-is-in-sysl...
2. Rules templates - you can see in Sentinel --> Analytics - Rule Templates
Some rules will be enabled / made available with specific Solutions

You can search in Sentinel --> Content Hub or in the Github: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions