[Deprecated] Symantec ProxySG connector for Microsoft Sentinel
Important
Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.
The Symantec ProxySG allows you to easily connect your Symantec ProxySG logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Symantec ProxySG with Microsoft Sentinel provides more visibility into your organization's network proxy traffic and will enhance security monitoring capabilities.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
Connector attribute | Description |
---|---|
Log Analytics table(s) | Syslog (SymantecProxySG) |
Data collection rules support | Workspace transform DCR |
Supported by | Microsoft Corporation |
Query samples
Top 10 Denied Users
SymantecProxySG
| where sc_filter_result == 'DENIED'
| summarize count() by cs_userdn
| top 10 by count_
Top 10 Denied Client IPs
SymantecProxySG
| where sc_filter_result == 'DENIED'
| summarize count() by c_ip
| top 10 by count_
Prerequisites
To integrate with [Deprecated] Symantec ProxySG make sure you have:
- Symantec ProxySG: must be configured to export logs via Syslog
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Symantec Proxy SG and load the function code or click here, on the second line of the query, enter the hostname(s) of your Symantec Proxy SG device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.
- Install and onboard the agent for Linux
Typically, you should install the agent on a different computer from the one on which the logs are generated.
Syslog logs are collected only from Linux agents.
- Configure the logs to be collected
Configure the facilities you want to collect and their severities.
Under workspace advanced settings Configuration, select Data and then Syslog.
Select Apply below configuration to my machines and select the facilities and severities.
Click Save.
Configure and connect the Symantec ProxySG
Log in to the Blue Coat Management Console .
Select Configuration > Access Logging > Formats.
Select New.
Enter a unique name in the Format Name field.
Click the radio button for Custom format string and paste the following string into the field.
1 $(date) $(time) $(time-taken) $(c-ip) $(cs-userdn) $(cs-auth-groups) $(x-exception-id) $(sc-filter-result) $(cs-categories) $(quot)$(cs(Referer))$(quot) $(sc-status) $(s-action) $(cs-method) $(quot)$(rs(Content-Type))$(quot) $(cs-uri-scheme) $(cs-host) $(cs-uri-port) $(cs-uri-path) $(cs-uri-query) $(cs-uri-extension) $(quot)$(cs(User-Agent))$(quot) $(s-ip) $(sr-bytes) $(rs-bytes) $(x-virus-id) $(x-bluecoat-application-name) $(x-bluecoat-application-operation) $(cs-uri-port) $(x-cs-client-ip-country) $(cs-threat-risk)
Next steps
For more information, go to the related solution in the Azure Marketplace.