?????????

[vincentche1]

No description provided.

[v-sudkharat]

Hi @vincentche1, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 16-05-2024. Thanks!

[vincentche1]

Dear @v-sudkharat, I hope you can expedite faster as the problem is impacted customer workflow. Please inform me if you need further details for investigation.
The parser of Trend Micro Apex One CEF logs link: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Trend%20Micro%20Apex%20One/Parsers/TMApexOneEvent.yaml

[v-sudkharat]

@vincentche1, Sure, and Thanks for providing details.

[vincentche1]

Hi @v-sudkharat, we hope that you can expedite this issue as it is pending for a remarkable time

[v-sudkharat]

Hi @vincentche1, we were unable to address this issue because of our lack of availability. we'll investigate on it and give you an update by 25-05-2024. Thanks!

[v-sudkharat]

Hi @vincentche1, Just want to check below few points with your end: -

1. As per your give description, Your facing issue in step C. where data is not received into the CommonSecurityLog table, Is that correct?
   

2. Could you please check and let us know what is "streams" name for existing created Data Collection Rule? Please share the JSON view with us if possible: -
   

3. Could you please validate and let us know the below configuration has been done in Azure and Apex portal which mentioned in steps A and B: -
   

Thanks!

[v-sudkharat]

@vincentche1, Ok. Noted. Let us check and will update you.

[MeirLevinMicrosoft]

@vincentche1 from the log sample you sent. It seems like the log header is not compliant with CEF:

https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.4/pdfdoc/cef-implementation-standard/cef-implementation-standard.pdf

Try removing "tmes[1]:" from the log header.

Also, I think the log date format is also not compliant, but this should not stop the logs from being ingested but might be resulted in inconsistency between the actual log timestamp and CommonSecurityLog timestamp.

[MeirLevinMicrosoft]

In case you don't get even mock messages it's not a formatting issue. I suggest:

1. Make sure you have latest agent version
2. Execute CEF troubleshooter:
   sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py && sudo python3 Sentinel_AMA_troubleshoot.py&& sudo python3 Sentinel_AMA_troubleshoot.py

Please note the formatting issue remains IMO, so once you get the mock messages you will still need to fix it.
Also, for further assistance I suggest open a ticket to Azure Sentinel as more data is required to understand the root cause.

[vincentche1]

Dear @MeirLevinMicrosoft @v-sudkharat , could you let me is there any update or any info you need to check more?

[v-sudkharat]

Requesting for follow procedure. Thanks!