Edit

Symantec ProxySG connector for Microsoft Sentinel

  • Article

The Symantec ProxySG allows you to easily connect your Symantec ProxySG logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Symantec ProxySG with Microsoft Sentinel provides more visibility into your organization's network proxy traffic and will enhance security monitoring capabilities.

Connector attributes

Connector attribute Description
Log Analytics table(s) Syslog (SymantecProxySG)
Data collection rules support Workspace transform DCR
Supported by Microsoft Corporation

Query samples

Top 10 Denied Users

SymantecProxySG 

| where sc_filter_result == 'DENIED' 

| summarize count() by cs_userdn 

| top 10 by count_

Top 10 Denied Client IPs

SymantecProxySG 

| where sc_filter_result == 'DENIED' 

| summarize count() by c_ip 

| top 10 by count_

Prerequisites

To integrate with Symantec ProxySG make sure you have:

  • Symantec ProxySG: must be configured to export logs via Syslog

Vendor installation instructions

Note

This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Symantec Proxy SG and load the function code or click here, on the second line of the query, enter the hostname(s) of your Symantec Proxy SG device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.

  1. Install and onboard the agent for Linux

Typically, you should install the agent on a different computer from the one on which the logs are generated.

Syslog logs are collected only from Linux agents.

  1. Configure the logs to be collected

Configure the facilities you want to collect and their severities.

  1. Under workspace advanced settings Configuration, select Data and then Syslog.

  2. Select Apply below configuration to my machines and select the facilities and severities.

  3. Click Save.

  4. Configure and connect the Symantec ProxySG

  5. Log in to the Blue Coat Management Console .

  6. Select Configuration > Access Logging > Formats.

  7. Select New.

  8. Enter a unique name in the Format Name field.

  9. Click the radio button for Custom format string and paste the following string into the field.

1 $(date) $(time) $(time-taken) $(c-ip) $(cs-userdn) $(cs-auth-groups) $(x-exception-id) $(sc-filter-result) $(cs-categories) $(quot)$(cs(Referer))$(quot) $(sc-status) $(s-action) $(cs-method) $(quot)$(rs(Content-Type))$(quot) $(cs-uri-scheme) $(cs-host) $(cs-uri-port) $(cs-uri-path) $(cs-uri-query) $(cs-uri-extension) $(quot)$(cs(User-Agent))$(quot) $(s-ip) $(sr-bytes) $(rs-bytes) $(x-virus-id) $(x-bluecoat-application-name) $(x-bluecoat-application-operation) $(cs-uri-port) $(x-cs-client-ip-country) $(cs-threat-risk)

6. Click the **OK** button. 7. Click the **Apply** button. 8. [Follow these instructions](https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html) to enable syslog streaming of **Access** Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address

Next steps

For more information, go to the related solution in the Azure Marketplace.