Adding WireX Data Connector

[philipcampeau]

Fixes #

Proposed Changes

[ghost]

All CLA requirements met.

[philipcampeau]

All CLA requirements met.

Is there any update on this?

[preetikr]

1. For the logo file - I see many unsupported fields that will block deploying this logo on Azure Sentinel. Please follow the steps in the logo guidance in step #5 of the https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector
2. All other feedback is provided within the files - please respond/incorporate these.

[preetikr]

Please remove the md file from this commit and just email me this - this goes in a separate docs repo. Thanks.

[preetikr]

This md file is still in the PR - please drop this file from this PR and email to me. Thanks

[preetikr]

The sample queries are syntactically incorrect. I am sharing one updated as an example. Please update others too. Also would be great if you'd please validate each of these sample queries in Azure Sentinel Log Analytics editor on the CEF logs you got into Azure Sentinel or you can load the JSON file per step 3 of https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector and also click on the Run button in the Next steps tab of the data connector where each of these queries will show as a customer would see them.
Updated example:
{
"description" : "All Imported Events from WireX",
"query": "CommonSecurityLog| where DeviceVendor == "WireX Systems"| where DeviceProduct == "WireX NFP""
},

[philipcampeau]

I see that i ran things backwards, i made the query work on the demo systems and then cut and paste it into the .json files. I tried to make these changes that you suggested above on just query 1 and i could not get it to load. When I tried to make changes to it so that it would load
"query": "CommonSecurityLog| where DeviceVendor == WireX| where DeviceProduct == WireX NFP"
i got failed: 'where' operator: Failed to resolve column or scalar expression named 'WireX'
If issue persists, please open a support ticket. Request id: 17f6ecec-8895-458c-9132-81970115c251

however in the demo systems contoso my original query worked.
CommonSecurityLog​
| where DeviceVendor in ("WireX")
| sort by TimeGenerated

any suggestions.

[preetikr]

Feedback on the sample data file:

1. Please move the sample data file to https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/CEF folder since this is a CEF data connector sample data.
2. I see just one example of DeviceAction. Can you please cover all combinations of DeviceAction that your product supports and relevant fields that gets populated depending on the different types of DeviceAction in the sample data?
3. Same feedback as point 2 above for Simplified Device action
4. On all the fields which are not populated like "communication Direction", etc. are these always not populated for any type of logs your product provides? If yes, that's fine. If there are some fields that do get populated for specific log types, please provide that sample data filling those fields and relevant applicable properties as well.
5. For those fields where Device Action is specified, why isn't Device address and Device name fields populated?
6. Since these are forensic logs, wouldn't the malicious IP, malicious IP geo location, file information and threat information fields not captured in the original source logs on WireX side?
7. I see the additional extensions have lots of valuable info like host address, proc address, Db information, record type etc. fields. Is it possible to write a parser to extract these field values and populate relevant columns so that customers can easily correlate this data? Examples of parsers are at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers. Specific example of a similar parser built for CEF data source parsing is https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/TrendMicro/TrendMicroDeepSecurity

[philipcampeau]

1)I am going to collect move sample and then do as instructed, thank you
2)There is no Device action
3)same as 2
4) not populated
5)There is not action
6)these are all logs for forensics so there is no determination of malicious or not
7) I agree that this would be a better long term solution but for now we need to get a data connector in and functioning. and then over time make it better.

[philipcampeau]

Thank you for your time on this. I will begin working on these in the morning. Enjoy your day. Phil Philip Campeau Global Systems Engineering Manager C: 312-622-3160 P: 224-513-5242 WireX Forensics <https://youtu.be/YK_AUxQJ7Vo> & IR in 2 minutes From: Preeti Krishna [mailto:notifications@github.com] Sent: Thursday, August 13, 2020 7:50 PM To: Azure/Azure-Sentinel Cc: philipcampeau; Author Subject: Re: [Azure/Azure-Sentinel] Adding WireX Data Connector (#901) @preetikr requested changes on this pull request. 1. For the logo file - I see many unsupported fields that will block deploying this logo on Azure Sentinel. Please follow the steps in the logo guidance in step #5 <#5> of the https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector 2. All other feedback is provided within the files - please respond/incorporate these.

_____ In DataConnectors/WireXSystems/how to doc/WireX_Systems_CEF_Connector.md <#901 (comment)> :

@@ -0,0 +1,20 @@

+# Connect your WireX Systems NFP to Azure Sentinel Please remove the md file from this commit and just email me this - this goes in a separate docs repo. Thanks.

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

+ },

+ + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (HTTP)" + }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (TDS)" + } + ], + "dataTypes": [ + { + "name": "WireX NFP events", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"WireX Systems\"\n| where DeviceProduct == \"WireX NFP\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" Have Legend = "WireX NFP" instead of 'records received'

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ + "id": "WireX_Systems_NFP", + "title": "WireX Network Forensics Platform", + "publisher": "WireX_Systems", + "descriptionMarkdown": "The WireX Systems data connector allows security professional to integrate with Azure Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Record_Recieved", Update "legend": "CommonSecurityLog",

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ + "id": "WireX_Systems_NFP", + "title": "WireX Network Forensics Platform", + "publisher": "WireX_Systems", + "descriptionMarkdown": "The WireX Systems data connector allows security professional to integrate with Azure Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Record_Recieved", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"WireX Systems\"\n| where DeviceProduct == \"WireX NFP\"\n" + } + ], + "sampleQueries": [ The sample queries are syntactically incorrect. I am sharing one updated as an example. Please update others too. Also would be great if you'd please validate each of these sample queries in Azure Sentinel Log Analytics editor on the CEF logs you got into Azure Sentinel or you can load the JSON file per step 3 of https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector and also click on the Run button in the Next steps tab of the data connector where each of these queries will show as a customer would see them. Updated example: { "description" : "All Imported Events from WireX", "query": "CommonSecurityLog| where DeviceVendor == "WireX Systems"| where DeviceProduct == "WireX NFP"" },

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

+ "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (DNS)"

+ }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (HTTP)" + }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (TDS)" + } + ], + "dataTypes": [ + { + "name": "WireX NFP events", Update dataTypes name as: "name": "CommonSecurityLog (WireXNFPEvents)",

_____ In DataConnectors/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ This file is the same as the first data connector file. Please remove the dupe files from this PR. Just one data connector file is needed unless there are two different types of data connectors included for WireX.

_____ In Sample Data/wirex_sample data.csv <#901 (comment)> :

@@ -0,0 +1,224 @@

+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId" This looks to be the same file as the earlier sample data file in this PR. Please remove this from this PR if this is a duplicate.

_____ In DataConnectors/WireXSystems/sample/wirex_sample data.csv <#901 (comment)> :

@@ -0,0 +1,224 @@

+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId" Feedback on the sample data file: 1. Please move the sample data file to https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/CEF folder since this is a CEF data connector sample data. 2. I see just one example of DeviceAction. Can you please cover all combinations of DeviceAction that your product supports and relevant fields that gets populated depending on the different types of DeviceAction in the sample data? 3. Same feedback as point 2 above for Simplified Device action 4. On all the fields which are not populated like "communication Direction", etc. are these always not populated for any type of logs your product provides? If yes, that's fine. If there are some fields that do get populated for specific log types, please provide that sample data filling those fields and relevant applicable properties as well. 5. For those fields where Device Action is specified, why isn't Device address and Device name fields populated? 6. Since these are forensic logs, wouldn't the malicious IP, malicious IP geo location, file information and threat information fields not captured in the original source logs on WireX side? 7. I see the additional extensions have lots of valuable info like host address, proc address, Db information, record type etc. fields. Is it possible to write a parser to extract these field values and populate relevant columns so that customers can easily correlate this data? Examples of parsers are at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers. Specific example of a similar parser built for CEF data source parsing is https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/TrendMicro/TrendMicroDeepSecurity — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#901 (review)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQG7L5LF4PEO67R4J6FBI5DSASC4LANCNFSM4PHBUVBA> . <https://github.com/notifications/beacon/AQG7L5LTMYTQDH2I5GQRSGLSASC4LA5CNFSM4PHBUVBKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGODPL5J6Y.gif>

[philipcampeau]

Sorry for the delay , I was taking kids to school and getting them settled. Here is the .md that you asked for. I am still working on getting it removed from the commit. (Not sure how to do that.) and I have asked the graphics department to get me the logo file in the correct format. Phil Philip Campeau Global Systems Engineering Manager C: 312-622-3160 P: 224-513-5242 WireX Forensics <https://youtu.be/YK_AUxQJ7Vo> & IR in 2 minutes From: Preeti Krishna [mailto:notifications@github.com] Sent: Thursday, August 13, 2020 7:50 PM To: Azure/Azure-Sentinel Cc: philipcampeau; Author Subject: Re: [Azure/Azure-Sentinel] Adding WireX Data Connector (#901) @preetikr requested changes on this pull request. 1. For the logo file - I see many unsupported fields that will block deploying this logo on Azure Sentinel. Please follow the steps in the logo guidance in step #5 <#5> of the https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector 2. All other feedback is provided within the files - please respond/incorporate these.

_____ In DataConnectors/WireXSystems/how to doc/WireX_Systems_CEF_Connector.md <#901 (comment)> :

@@ -0,0 +1,20 @@

+# Connect your WireX Systems NFP to Azure Sentinel Please remove the md file from this commit and just email me this - this goes in a separate docs repo. Thanks.

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

+ },

+ + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (HTTP)" + }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (TDS)" + } + ], + "dataTypes": [ + { + "name": "WireX NFP events", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"WireX Systems\"\n| where DeviceProduct == \"WireX NFP\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" Have Legend = "WireX NFP" instead of 'records received'

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ + "id": "WireX_Systems_NFP", + "title": "WireX Network Forensics Platform", + "publisher": "WireX_Systems", + "descriptionMarkdown": "The WireX Systems data connector allows security professional to integrate with Azure Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Record_Recieved", Update "legend": "CommonSecurityLog",

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ + "id": "WireX_Systems_NFP", + "title": "WireX Network Forensics Platform", + "publisher": "WireX_Systems", + "descriptionMarkdown": "The WireX Systems data connector allows security professional to integrate with Azure Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Record_Recieved", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"WireX Systems\"\n| where DeviceProduct == \"WireX NFP\"\n" + } + ], + "sampleQueries": [ The sample queries are syntactically incorrect. I am sharing one updated as an example. Please update others too. Also would be great if you'd please validate each of these sample queries in Azure Sentinel Log Analytics editor on the CEF logs you got into Azure Sentinel or you can load the JSON file per step 3 of https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector and also click on the Run button in the Next steps tab of the data connector where each of these queries will show as a customer would see them. Updated example: { "description" : "All Imported Events from WireX", "query": "CommonSecurityLog| where DeviceVendor == "WireX Systems"| where DeviceProduct == "WireX NFP"" },

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

+ "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (DNS)"

+ }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (HTTP)" + }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (TDS)" + } + ], + "dataTypes": [ + { + "name": "WireX NFP events", Update dataTypes name as: "name": "CommonSecurityLog (WireXNFPEvents)",

_____ In DataConnectors/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ This file is the same as the first data connector file. Please remove the dupe files from this PR. Just one data connector file is needed unless there are two different types of data connectors included for WireX.

_____ In Sample Data/wirex_sample data.csv <#901 (comment)> :

@@ -0,0 +1,224 @@

+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId" This looks to be the same file as the earlier sample data file in this PR. Please remove this from this PR if this is a duplicate.

_____ In DataConnectors/WireXSystems/sample/wirex_sample data.csv <#901 (comment)> :

@@ -0,0 +1,224 @@

+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId" Feedback on the sample data file: 1. Please move the sample data file to https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/CEF folder since this is a CEF data connector sample data. 2. I see just one example of DeviceAction. Can you please cover all combinations of DeviceAction that your product supports and relevant fields that gets populated depending on the different types of DeviceAction in the sample data? 3. Same feedback as point 2 above for Simplified Device action 4. On all the fields which are not populated like "communication Direction", etc. are these always not populated for any type of logs your product provides? If yes, that's fine. If there are some fields that do get populated for specific log types, please provide that sample data filling those fields and relevant applicable properties as well. 5. For those fields where Device Action is specified, why isn't Device address and Device name fields populated? 6. Since these are forensic logs, wouldn't the malicious IP, malicious IP geo location, file information and threat information fields not captured in the original source logs on WireX side? 7. I see the additional extensions have lots of valuable info like host address, proc address, Db information, record type etc. fields. Is it possible to write a parser to extract these field values and populate relevant columns so that customers can easily correlate this data? Examples of parsers are at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers. Specific example of a similar parser built for CEF data source parsing is https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/TrendMicro/TrendMicroDeepSecurity — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#901 (review)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQG7L5LF4PEO67R4J6FBI5DSASC4LANCNFSM4PHBUVBA> . <https://github.com/notifications/beacon/AQG7L5LTMYTQDH2I5GQRSGLSASC4LA5CNFSM4PHBUVBKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGODPL5J6Y.gif>

[philipcampeau]

Preeti, Again thank you for your help and guidance. I am stuck, I believe that I have made all the changes that you recommended with the exception of the sample queries. I ran each of the queries manually in the contoso demo system that I have access to and they work fine and then I cut and paste them into sample query portion on the json file and then when I uploaded them to test and the upload failed. I tried to follow your example and I kept getting an error in the where operator and that it did not like the “WireX” or as you helped me with WireX Systems. Any guidance that you can offer would be great. If it is easier a phone call to point out there error would be ideal. Thank you Phil Philip Campeau Global Systems Engineering Manager C: 312-622-3160 P: 224-513-5242 WireX Forensics <https://youtu.be/YK_AUxQJ7Vo> & IR in 2 minutes From: Preeti Krishna [mailto:notifications@github.com] Sent: Thursday, August 13, 2020 7:50 PM To: Azure/Azure-Sentinel Cc: philipcampeau; Author Subject: Re: [Azure/Azure-Sentinel] Adding WireX Data Connector (#901) @preetikr requested changes on this pull request. 1. For the logo file - I see many unsupported fields that will block deploying this logo on Azure Sentinel. Please follow the steps in the logo guidance in step #5 <#5> of the https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector 2. All other feedback is provided within the files - please respond/incorporate these.

_____ In DataConnectors/WireXSystems/how to doc/WireX_Systems_CEF_Connector.md <#901 (comment)> :

@@ -0,0 +1,20 @@

+# Connect your WireX Systems NFP to Azure Sentinel Please remove the md file from this commit and just email me this - this goes in a separate docs repo. Thanks.

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

+ },

+ + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (HTTP)" + }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (TDS)" + } + ], + "dataTypes": [ + { + "name": "WireX NFP events", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"WireX Systems\"\n| where DeviceProduct == \"WireX NFP\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" Have Legend = "WireX NFP" instead of 'records received'

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ + "id": "WireX_Systems_NFP", + "title": "WireX Network Forensics Platform", + "publisher": "WireX_Systems", + "descriptionMarkdown": "The WireX Systems data connector allows security professional to integrate with Azure Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Record_Recieved", Update "legend": "CommonSecurityLog",

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ + "id": "WireX_Systems_NFP", + "title": "WireX Network Forensics Platform", + "publisher": "WireX_Systems", + "descriptionMarkdown": "The WireX Systems data connector allows security professional to integrate with Azure Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Record_Recieved", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"WireX Systems\"\n| where DeviceProduct == \"WireX NFP\"\n" + } + ], + "sampleQueries": [ The sample queries are syntactically incorrect. I am sharing one updated as an example. Please update others too. Also would be great if you'd please validate each of these sample queries in Azure Sentinel Log Analytics editor on the CEF logs you got into Azure Sentinel or you can load the JSON file per step 3 of https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#build-the-connector and also click on the Run button in the Next steps tab of the data connector where each of these queries will show as a customer would see them. Updated example: { "description" : "All Imported Events from WireX", "query": "CommonSecurityLog| where DeviceVendor == "WireX Systems"| where DeviceProduct == "WireX NFP"" },

_____ In DataConnectors/WireXSystems/WireXsystemsNFP.json <#901 (comment)> :

+ "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (DNS)"

+ }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (HTTP)" + }, + + { + "description" : "Imported DNS Events from WireX", + "query": "Where DeviceVendor in (WireX) and ApplicationProtocol contains (TDS)" + } + ], + "dataTypes": [ + { + "name": "WireX NFP events", Update dataTypes name as: "name": "CommonSecurityLog (WireXNFPEvents)",

_____ In DataConnectors/WireXsystemsNFP.json <#901 (comment)> :

@@ -0,0 +1,119 @@

+{ This file is the same as the first data connector file. Please remove the dupe files from this PR. Just one data connector file is needed unless there are two different types of data connectors included for WireX.

_____ In Sample Data/wirex_sample data.csv <#901 (comment)> :

@@ -0,0 +1,224 @@

+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId" This looks to be the same file as the earlier sample data file in this PR. Please remove this from this PR if this is a duplicate.

_____ In DataConnectors/WireXSystems/sample/wirex_sample data.csv <#901 (comment)> :

@@ -0,0 +1,224 @@

+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId" Feedback on the sample data file: 1. Please move the sample data file to https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/CEF folder since this is a CEF data connector sample data. 2. I see just one example of DeviceAction. Can you please cover all combinations of DeviceAction that your product supports and relevant fields that gets populated depending on the different types of DeviceAction in the sample data? 3. Same feedback as point 2 above for Simplified Device action 4. On all the fields which are not populated like "communication Direction", etc. are these always not populated for any type of logs your product provides? If yes, that's fine. If there are some fields that do get populated for specific log types, please provide that sample data filling those fields and relevant applicable properties as well. 5. For those fields where Device Action is specified, why isn't Device address and Device name fields populated? 6. Since these are forensic logs, wouldn't the malicious IP, malicious IP geo location, file information and threat information fields not captured in the original source logs on WireX side? 7. I see the additional extensions have lots of valuable info like host address, proc address, Db information, record type etc. fields. Is it possible to write a parser to extract these field values and populate relevant columns so that customers can easily correlate this data? Examples of parsers are at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers. Specific example of a similar parser built for CEF data source parsing is https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/TrendMicro/TrendMicroDeepSecurity — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#901 (review)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQG7L5LF4PEO67R4J6FBI5DSASC4LANCNFSM4PHBUVBA> . <https://github.com/notifications/beacon/AQG7L5LTMYTQDH2I5GQRSGLSASC4LA5CNFSM4PHBUVBKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGODPL5J6Y.gif>

[preetikr]

@philipcampeau - On the sample data queries, the formatting is by design to work in the context of a data connector. So basically you need to load the json file (based on the build data connector step) and once you import that data connector json you can test the queries by directly clicking on the sample and connectivity queries. The same query copy pasted directly in Log Analytics editor won't work as there's formatting included to be able to render the UX (json). Hope this clarifies.

[preetikr]

I see some resolved comments are not yet resolved in the code / commit. I still see duplicate data connector files and sample data files in this PR which is not desirable. Just need one file that gets updated for the feedback. The md file for doc can be dropped from this PR as well.

[preetikr]

This md file is still in the PR - please drop this file from this PR and email to me. Thanks

[philipcampeau]

Here is the file. I sent it back on the 26th however I do not see your name in the email thread. Philip Campeau Global Systems Engineering Manager C: 312-622-3160 P: 224-513-5242 WireX Forensics <https://youtu.be/YK_AUxQJ7Vo> & IR in 2 minutes From: Preeti Krishna [mailto:notifications@github.com] Sent: Thursday, September 10, 2020 1:41 PM To: Azure/Azure-Sentinel Cc: philipcampeau; Mention Subject: Re: [Azure/Azure-Sentinel] Adding WireX Data Connector (#901) @preetikr requested changes on this pull request. I see some resolved comments are not yet resolved in the code / commit. I still see duplicate data connector files and sample data files in this PR which is not desirable. Just need one file that gets updated for the feedback. The md file for doc can be dropped from this PR as well.

_____ In DataConnectors/WireXSystems/how to doc/WireX_Systems_CEF_Connector.md <#901 (comment)> :

@@ -0,0 +1,20 @@

+# Connect your WireX Systems NFP to Azure Sentinel This md file is still in the PR - please drop this file from this PR and email to me. Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#901 (review)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQG7L5KLUVXUEFENSAOMLHTSFEMTFANCNFSM4PHBUVBA> . <https://github.com/notifications/beacon/AQG7L5NONHKZLACUVPJ3MHLSFEMTFA5CNFSM4PHBUVBKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGODT5PRVI.gif>

[preetikr]

Closing this since the changes are tracked in new PR #1064