ACNCD_DataConnectors_final#767
Conversation
ghost
requested review from
Amitbergman,
KobyKoren,
YaronFruchtmann,
dicolanl,
ianhelle,
juliango2100,
liemilyg,
mgladi,
morshabi,
orco365,
preetikr,
sagamzu,
shainw and
timbMSFT
as code owners
|
Re-submission of ACNCD_DataConnectors_sub3 #750 (#750) -- (will delete), due to significant changes from previous PR (#729) approval/merge. @shainw -- I went back and made modifications to the (4) previously submitted Syslog detections rules to accommodate for threshold variables, bin_TimeGenerated, and dataTypes. |
shainw
left a comment
shainw
left a comment
There was a problem hiding this comment.
Some minor fixes before I can approve. :)
preetikr
left a comment
preetikr
left a comment
There was a problem hiding this comment.
In addition,
- Sample Data/Custom/SophosXGFirewall.json has the hostname and host IP having the same values. Can you check if the parser is formatting the same output to both fields as the host name should be different from the IP? Also please fix the sample file for this after fixing (if needed) the parser.
There was a problem hiding this comment.
@chicduong - In general, all the dataTypes specified should match your JSON dataType value. Most of these should be Syslog, some are your custom Okta_CL which is fine.
Also, these can get a bit confusing because of their number of files and the details in each. I would suggest in the future to submit a PR for each data connector and detections for that data connector. :)
ghost
left a comment
ghost
left a comment
There was a problem hiding this comment.
@shainw As mentioned above, I'm confused on this, because based on our discussion in PR #750 (#750) the Dataypes should be the name of the table, since these alerts depend on a Kusto Function that would make the table name SymantecVIP instead of Syslog.
They dataTypes value in the JSON are currently listed as Syslog (SymantecVIP), Syslog (Infoblox) and so forth, is this incorrect? Should it be either SymantecVIP or Syslog?
|
@shainw I wanted to follow up on the comments I provided above. |
| - connectorId: InfobloxNIOS | ||
| dataTypes: | ||
| - Syslog | ||
| - InfobloxNIOS |
There was a problem hiding this comment.
@chicduong - leave this as dataType Syslog - this change can be dropped from the PR.
| - connectorId: InfobloxNIOS | ||
| dataTypes: | ||
| - Syslog | ||
| - InfobloxNIOS |
There was a problem hiding this comment.
@chicduong - leave this as dataType Syslog - this change can be dropped from the PR.
| - connectorId: PulseConnectSecure | ||
| dataTypes: | ||
| - Syslog | ||
| - PulseConnectSecure |
There was a problem hiding this comment.
@chicduong - leave this as dataType Syslog - this change can be dropped from the PR.
| requiredDataConnectors: | ||
| - connectorId: SophosXGFirewall | ||
| dataTypes: | ||
| - SophosXGFirewall |
There was a problem hiding this comment.
@chicduong - change this as dataType Syslog
| - connectorId: SymantecProxySG | ||
| dataTypes: | ||
| - Syslog | ||
| - SymantecProxySG |
There was a problem hiding this comment.
@chicduong - change this as dataType Syslog - drop this change from the PR
| - connectorId: SymantecProxySG | ||
| dataTypes: | ||
| - Syslog | ||
| - SymantecProxySG |
There was a problem hiding this comment.
@chicduong - this should be dataType Syslog
| - connectorId: SymantecVIP | ||
| dataTypes: | ||
| - Syslog | ||
| - SymantecVIP |
There was a problem hiding this comment.
@chicduong - this dataType should be Syslog - drop this change from the PR
2 participants
Fixes #
Proposed Changes