Netclean ProActive Incidents connector for Microsoft Sentinel
This connector uses the Netclean Webhook (required) and Logic Apps to push data into Microsoft Sentinel Log Analytics
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Netclean_Incidents_CL |
| Data collection rules support | Not currently supported |
| Supported by | NetClean |
Query samples
Netclean - All Activities.
Netclean_Incidents_CL
| sort by TimeGenerated desc
Vendor installation instructions
Note
The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs. It's possible to test this without Logic Apps or NetClean Proactive see option 2
Option 1: deploy Logic app (requires NetClean Proactive)
- Download and install the Logic app here: https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)
- Go to your newly created logic app
In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data”
Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save Go to code view on the top ribbon and scroll down to line ~100 it should start with "Body"
replace the line entirly with:
"body": "{\n"Hostname":"@{variables('machineName')}",\n"agentType":"@{triggerBody()['value']['agent']['type']}",\n"Identifier":"@{triggerBody()?['key']?['identifier']}",\n"type":"@{triggerBody()?['key']?['type']}",\n"version":"@{triggerBody()?['value']?['incidentVersion']}",\n"foundTime":"@{triggerBody()?['value']?['foundTime']}",\n"detectionMethod":"@{triggerBody()?['value']?['detectionHashType']}",\n"agentInformatonIdentifier":"@{triggerBody()?['value']?['device']?['identifier']}",\n"osVersion":"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}",\n"machineName":"@{variables('machineName')}",\n"microsoftCultureId":"@{triggerBody()?['value']?['device']?['microsoftCultureId']}",\n"timeZoneId":"@{triggerBody()?['value']?['device']?['timeZoneName']}",\n"microsoftGeoId":"@{triggerBody()?['value']?['device']?['microsoftGeoId']}",\n"domainname":"@{variables('domain')}",\n"Agentversion":"@{triggerBody()['value']['agent']['version']}",\n"Agentidentifier":"@{triggerBody()['value']['identifier']}",\n"loggedOnUsers":"@{variables('Usernames')}",\n"size":"@{triggerBody()?['value']?['file']?['size']}",\n"creationTime":"@{triggerBody()?['value']?['file']?['creationTime']}",\n"lastAccessTime":"@{triggerBody()?['value']?['file']?['lastAccessTime']}",\n"lastWriteTime":"@{triggerBody()?['value']?['file']?['lastModifiedTime']}",\n"sha1":"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}",\n"nearbyFiles_sha1":"@{variables('nearbyFiles_sha1s')}",\n"externalIP":"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}",\n"domain":"@{variables('domain')}",\n"hasCollectedNearbyFiles":"@{variables('hasCollectedNearbyFiles')}",\n"filePath":"@{replace(triggerBody()['value']['file']['path'], '\', '\\')}",\n"m365WebUrl":"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}",\n"m365CreatedBymail":"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}",\n"m365LastModifiedByMail":"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}",\n"m365LibraryId":"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}",\n"m365LibraryDisplayName":"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}",\n"m365Librarytype":"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}",\n"m365siteid":"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}",\n"m365sitedisplayName":"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}",\n"m365sitename":"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}",\n"countOfAllNearByFiles":"@{variables('countOfAllNearByFiles')}",\n\n}",
click save
3. Copy the HTTP POST URL
4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3
5. Verify functionality by triggering a Demo Incident.
Option 2 (Testing only)
Ingest data using a api function. please use the script found on Send log data to Azure Monitor by using the HTTP Data Collector API
Replace the CustomerId and SharedKey values with your values
Replace the content in $json variable to the sample data.
Set the LogType varible to Netclean_Incidents_CL
Run the script
Next steps
For more information, go to the related solution in the Azure Marketplace.