diff --git a/blog/2025-09-01-release-notes-1.4.0.mdx b/blog/2025-09-01-release-notes-1.4.0.mdx index 83c89559..d966169f 100644 --- a/blog/2025-09-01-release-notes-1.4.0.mdx +++ b/blog/2025-09-01-release-notes-1.4.0.mdx @@ -5,7 +5,7 @@ tags: [release] title: Version 1.4.0 Released --- -This release introduces powerful new capabilities for Azure integration and data management. With the new **Settings** menu and **Microsoft Stats** dashboard, managing your workspace and monitoring data flow has never been easier. We've expanded our device and target support with **Azure Blob Storage**, **Azure Event Hubs**, **Microsoft Sentinel Data Lake**, and **Elasticsearch**, while enhancing Windows device capabilities with additional log types and pipeline selection options. Important bug fixes improve configuration persistence and content management workflows. +This release introduces powerful new capabilities for Azure integration and data management. With the new **Settings** menu and **Microsoft Stats** dashboard, managing your workspace and monitoring data flow has never been easier. We've expanded our device and target support with **Azure Blob Storage**, **Azure Event Hubs**, **Microsoft Sentinel data lake**, and **Elasticsearch**, while enhancing Windows device capabilities with additional log types and pipeline selection options. Important bug fixes improve configuration persistence and content management workflows. {/* truncate */} diff --git a/docs/appendix/field-formats/csl.mdx b/docs/appendix/field-formats/csl.mdx index e4666b0c..f95a9261 100644 --- a/docs/appendix/field-formats/csl.mdx +++ b/docs/appendix/field-formats/csl.mdx @@ -5,7 +5,7 @@ pagination_next: null # CSL -The Common Security Log (CSL) is a standardized schema developed by Microsoft for Azure Sentinel (now Microsoft Sentinel). It provides: +The Common Security Log (CSL) is a standardized schema used in Microsoft Sentinel. It provides: **Common Fields**: diff --git a/docs/appendix/field-formats/estreamer.mdx b/docs/appendix/protocols/estreamer.mdx similarity index 100% rename from docs/appendix/field-formats/estreamer.mdx rename to docs/appendix/protocols/estreamer.mdx diff --git a/docs/appendix/field-formats/netflow.mdx b/docs/appendix/protocols/netflow.mdx similarity index 100% rename from docs/appendix/field-formats/netflow.mdx rename to docs/appendix/protocols/netflow.mdx diff --git a/docs/configuration/devices/microsoft-sentinel.mdx b/docs/configuration/devices/microsoft-sentinel.mdx index 9fbe112a..6a1adc2b 100644 --- a/docs/configuration/devices/microsoft-sentinel.mdx +++ b/docs/configuration/devices/microsoft-sentinel.mdx @@ -4,7 +4,7 @@ ## Synopsis -Creates a collector that fetches security incidents from Azure Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. +Creates a collector that fetches security incidents from Microsoft Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. ## Schema diff --git a/docs/configuration/pipelines/processors/fqdn.mdx b/docs/configuration/pipelines/processors/fqdn.mdx index b994df69..2d7b4d01 100644 --- a/docs/configuration/pipelines/processors/fqdn.mdx +++ b/docs/configuration/pipelines/processors/fqdn.mdx @@ -52,7 +52,7 @@ The following fields are used to define the processor: ## Details -The processor analyzes hostname strings and extracts meaningful components based on ASIM (Azure Sentinel Information Model) logic. It supports multiple input formats: +The processor analyzes hostname strings and extracts meaningful components based on ASIM (Advanced Security Information Model) logic. It supports multiple input formats: - **URLs**: Full URLs with protocols (http://, https://) are parsed to extract the hostname component - **FQDNs**: Domain names like `web01.example.com` are split into hostname and domain parts diff --git a/docs/configuration/pipelines/processors/username-type.mdx b/docs/configuration/pipelines/processors/username-type.mdx index cd9d1916..a7ec8bd0 100644 --- a/docs/configuration/pipelines/processors/username-type.mdx +++ b/docs/configuration/pipelines/processors/username-type.mdx @@ -11,7 +11,7 @@ sidebar_custom_props: ## Synopsis -An identity analysis processor that classifies usernames according to their format type following ASIM (Azure Sentinel Information Model) standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis. +An identity analysis processor that classifies usernames according to their format type following ASIM standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis. ## Schema @@ -49,7 +49,7 @@ The following fields are used to define the processor: The processor identifies username formats based on structural patterns and assigns appropriate ASIM-compliant type classifications. This enables consistent username analysis across different authentication systems and security platforms. :::note -The processor follows ASIM standards for username type classification, ensuring compatibility with Azure Sentinel and other SIEM systems. +The processor follows ASIM standards for username type classification, ensuring compatibility with Microsoft Sentinel and other SIEM systems. ::: Username type detection uses pattern matching to identify format characteristics. UPN format contains "@" symbols, Windows format contains backslashes, Distinguished Names contain LDAP components, and Simple format represents basic usernames without special formatting. diff --git a/docs/configuration/pipelines/processors/windows-user-type.mdx b/docs/configuration/pipelines/processors/windows-user-type.mdx index a4f1821a..a53a7ff8 100644 --- a/docs/configuration/pipelines/processors/windows-user-type.mdx +++ b/docs/configuration/pipelines/processors/windows-user-type.mdx @@ -51,7 +51,7 @@ The following fields are used to define the processor: The processor analyzes Windows user accounts using both username patterns and SID structures to provide accurate user type classification. SID analysis takes priority over username patterns for more reliable identification. :::note -The processor follows ASIM standards for Windows user type classification, ensuring compatibility with Azure Sentinel and Windows security monitoring systems. +The processor follows ASIM standards for Windows user type classification, ensuring compatibility with Microsoft Sentinel and Windows security monitoring systems. ::: SID-based classification uses well-known SID patterns and prefixes to identify system accounts, services, and domain accounts. Username pattern analysis provides additional context for accounts that don't match specific SID patterns. diff --git a/sidebars.ts b/sidebars.ts index 748774a7..541ff515 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -362,9 +362,7 @@ const sidebars: SidebarsConfig = { "appendix/field-formats/cim", "appendix/field-formats/csl", "appendix/field-formats/ecs", - "appendix/field-formats/estreamer", "appendix/field-formats/leef", - "appendix/field-formats/netflow", ], }, { @@ -375,9 +373,11 @@ const sidebars: SidebarsConfig = { description: "Protocol specifications" }, items: [ + "appendix/protocols/estreamer", "appendix/protocols/ipfix", "appendix/protocols/kafka", "appendix/protocols/nats", + "appendix/protocols/netflow", "appendix/protocols/rabbitmq", "appendix/protocols/redis", "appendix/protocols/sflow", diff --git a/topics.json b/topics.json index 41452d51..c41e641d 100644 --- a/topics.json +++ b/topics.json @@ -36,6 +36,7 @@ "processors-uppercase": "/configuration/pipelines/processors/uppercase", "snmp-authentication": "/configuration/devices/snmp-trap#authentication-protocols", "snmp-privacy": "/configuration/devices/snmp-trap#privacy-protocols", + "appendix-bnf": "/appendix/configuration-bnf", "appendix-avro": "/appendix/file-formats/avro", "appendix-avro-compression": "/appendix/file-formats/avro#compression-codecs", @@ -46,11 +47,12 @@ "appendix-cef": "/appendix/field-formats/cef", "appendix-cim": "/appendix/field-formats/cim", "appendix-ecs": "/appendix/field-formats/ecs", - "appendix-estreamer": "/appendix/field-formats/estreamer", "appendix-leef": "/appendix/field-formats/leef", - "appendix-netflow": "/appendix/field-formats/netflow", + "appendix-estreamer": "/appendix/protocols/estreamer", + "appendix-netflow": "/appendix/protocols/netflow", "appendix-ipfix": "/appendix/protocols/ipfix", "appendix-sflow": "/appendix/protocols/sflow", "appendix-syslog": "/appendix/protocols/syslog", + "tutorials-local-pipeline": "/tutorials/a-local-pipeline" } \ No newline at end of file diff --git a/versioned_docs/version-1.1.0/administration/devices/ms-sentinel.mdx b/versioned_docs/version-1.1.0/administration/devices/ms-sentinel.mdx index 532b5cca..3d9ed23c 100644 --- a/versioned_docs/version-1.1.0/administration/devices/ms-sentinel.mdx +++ b/versioned_docs/version-1.1.0/administration/devices/ms-sentinel.mdx @@ -4,7 +4,7 @@ ## Synopsis -Creates a collector that fetches security incidents from Azure Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. +Creates a collector that fetches security incidents from Microsoft Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. ## Schema diff --git a/versioned_docs/version-1.2.0/configuration/devices/microsoft-sentinel.mdx b/versioned_docs/version-1.2.0/configuration/devices/microsoft-sentinel.mdx index 9fbe112a..6a1adc2b 100644 --- a/versioned_docs/version-1.2.0/configuration/devices/microsoft-sentinel.mdx +++ b/versioned_docs/version-1.2.0/configuration/devices/microsoft-sentinel.mdx @@ -4,7 +4,7 @@ ## Synopsis -Creates a collector that fetches security incidents from Azure Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. +Creates a collector that fetches security incidents from Microsoft Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. ## Schema diff --git a/versioned_docs/version-1.2.0/configuration/overview.mdx b/versioned_docs/version-1.2.0/configuration/overview.mdx index 1578dbb8..ee5f21ec 100644 --- a/versioned_docs/version-1.2.0/configuration/overview.mdx +++ b/versioned_docs/version-1.2.0/configuration/overview.mdx @@ -70,7 +70,7 @@ Configuration files are organized in three main directories under `config/`: - **`devices/`** - Input source configurations for data ingestion (syslog, kafka, http, netflow, etc.) - **`routes/`** - Data routing and conditional flow control between devices, pipelines, and targets -- **`targets/`** - Output destination configurations (elasticsearch, azure sentinel, splunk, etc.) +- **`targets/`** - Output destination configurations (elasticsearch, microsoft sentinel, splunk, etc.) Each directory can contain multiple YAML files organized according to your preferred structure - either grouped by function, environment, or kept as individual files per component. diff --git a/versioned_docs/version-1.2.0/configuration/pipelines/processors/fqdn.mdx b/versioned_docs/version-1.2.0/configuration/pipelines/processors/fqdn.mdx index b994df69..c3792d55 100644 --- a/versioned_docs/version-1.2.0/configuration/pipelines/processors/fqdn.mdx +++ b/versioned_docs/version-1.2.0/configuration/pipelines/processors/fqdn.mdx @@ -52,7 +52,7 @@ The following fields are used to define the processor: ## Details -The processor analyzes hostname strings and extracts meaningful components based on ASIM (Azure Sentinel Information Model) logic. It supports multiple input formats: +The processor analyzes hostname strings and extracts meaningful components based on ASIM logic. It supports multiple input formats: - **URLs**: Full URLs with protocols (http://, https://) are parsed to extract the hostname component - **FQDNs**: Domain names like `web01.example.com` are split into hostname and domain parts diff --git a/versioned_docs/version-1.2.0/configuration/pipelines/processors/username-type.mdx b/versioned_docs/version-1.2.0/configuration/pipelines/processors/username-type.mdx index cd9d1916..a7ec8bd0 100644 --- a/versioned_docs/version-1.2.0/configuration/pipelines/processors/username-type.mdx +++ b/versioned_docs/version-1.2.0/configuration/pipelines/processors/username-type.mdx @@ -11,7 +11,7 @@ sidebar_custom_props: ## Synopsis -An identity analysis processor that classifies usernames according to their format type following ASIM (Azure Sentinel Information Model) standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis. +An identity analysis processor that classifies usernames according to their format type following ASIM standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis. ## Schema @@ -49,7 +49,7 @@ The following fields are used to define the processor: The processor identifies username formats based on structural patterns and assigns appropriate ASIM-compliant type classifications. This enables consistent username analysis across different authentication systems and security platforms. :::note -The processor follows ASIM standards for username type classification, ensuring compatibility with Azure Sentinel and other SIEM systems. +The processor follows ASIM standards for username type classification, ensuring compatibility with Microsoft Sentinel and other SIEM systems. ::: Username type detection uses pattern matching to identify format characteristics. UPN format contains "@" symbols, Windows format contains backslashes, Distinguished Names contain LDAP components, and Simple format represents basic usernames without special formatting. diff --git a/versioned_docs/version-1.2.0/configuration/pipelines/processors/windows-user-type.mdx b/versioned_docs/version-1.2.0/configuration/pipelines/processors/windows-user-type.mdx index a4f1821a..a53a7ff8 100644 --- a/versioned_docs/version-1.2.0/configuration/pipelines/processors/windows-user-type.mdx +++ b/versioned_docs/version-1.2.0/configuration/pipelines/processors/windows-user-type.mdx @@ -51,7 +51,7 @@ The following fields are used to define the processor: The processor analyzes Windows user accounts using both username patterns and SID structures to provide accurate user type classification. SID analysis takes priority over username patterns for more reliable identification. :::note -The processor follows ASIM standards for Windows user type classification, ensuring compatibility with Azure Sentinel and Windows security monitoring systems. +The processor follows ASIM standards for Windows user type classification, ensuring compatibility with Microsoft Sentinel and Windows security monitoring systems. ::: SID-based classification uses well-known SID patterns and prefixes to identify system accounts, services, and domain accounts. Username pattern analysis provides additional context for accounts that don't match specific SID patterns. diff --git a/versioned_docs/version-1.3.0/configuration/devices/microsoft-sentinel.mdx b/versioned_docs/version-1.3.0/configuration/devices/microsoft-sentinel.mdx index 9fbe112a..6a1adc2b 100644 --- a/versioned_docs/version-1.3.0/configuration/devices/microsoft-sentinel.mdx +++ b/versioned_docs/version-1.3.0/configuration/devices/microsoft-sentinel.mdx @@ -4,7 +4,7 @@ ## Synopsis -Creates a collector that fetches security incidents from Azure Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. +Creates a collector that fetches security incidents from Microsoft Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates. ## Schema diff --git a/versioned_docs/version-1.3.0/configuration/pipelines/processors/fqdn.mdx b/versioned_docs/version-1.3.0/configuration/pipelines/processors/fqdn.mdx index b994df69..c3792d55 100644 --- a/versioned_docs/version-1.3.0/configuration/pipelines/processors/fqdn.mdx +++ b/versioned_docs/version-1.3.0/configuration/pipelines/processors/fqdn.mdx @@ -52,7 +52,7 @@ The following fields are used to define the processor: ## Details -The processor analyzes hostname strings and extracts meaningful components based on ASIM (Azure Sentinel Information Model) logic. It supports multiple input formats: +The processor analyzes hostname strings and extracts meaningful components based on ASIM logic. It supports multiple input formats: - **URLs**: Full URLs with protocols (http://, https://) are parsed to extract the hostname component - **FQDNs**: Domain names like `web01.example.com` are split into hostname and domain parts diff --git a/versioned_docs/version-1.3.0/configuration/pipelines/processors/username-type.mdx b/versioned_docs/version-1.3.0/configuration/pipelines/processors/username-type.mdx index cd9d1916..a7ec8bd0 100644 --- a/versioned_docs/version-1.3.0/configuration/pipelines/processors/username-type.mdx +++ b/versioned_docs/version-1.3.0/configuration/pipelines/processors/username-type.mdx @@ -11,7 +11,7 @@ sidebar_custom_props: ## Synopsis -An identity analysis processor that classifies usernames according to their format type following ASIM (Azure Sentinel Information Model) standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis. +An identity analysis processor that classifies usernames according to their format type following ASIM standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis. ## Schema @@ -49,7 +49,7 @@ The following fields are used to define the processor: The processor identifies username formats based on structural patterns and assigns appropriate ASIM-compliant type classifications. This enables consistent username analysis across different authentication systems and security platforms. :::note -The processor follows ASIM standards for username type classification, ensuring compatibility with Azure Sentinel and other SIEM systems. +The processor follows ASIM standards for username type classification, ensuring compatibility with Microsoft Sentinel and other SIEM systems. ::: Username type detection uses pattern matching to identify format characteristics. UPN format contains "@" symbols, Windows format contains backslashes, Distinguished Names contain LDAP components, and Simple format represents basic usernames without special formatting. diff --git a/versioned_docs/version-1.3.0/configuration/pipelines/processors/windows-user-type.mdx b/versioned_docs/version-1.3.0/configuration/pipelines/processors/windows-user-type.mdx index a4f1821a..a53a7ff8 100644 --- a/versioned_docs/version-1.3.0/configuration/pipelines/processors/windows-user-type.mdx +++ b/versioned_docs/version-1.3.0/configuration/pipelines/processors/windows-user-type.mdx @@ -51,7 +51,7 @@ The following fields are used to define the processor: The processor analyzes Windows user accounts using both username patterns and SID structures to provide accurate user type classification. SID analysis takes priority over username patterns for more reliable identification. :::note -The processor follows ASIM standards for Windows user type classification, ensuring compatibility with Azure Sentinel and Windows security monitoring systems. +The processor follows ASIM standards for Windows user type classification, ensuring compatibility with Microsoft Sentinel and Windows security monitoring systems. ::: SID-based classification uses well-known SID patterns and prefixes to identify system accounts, services, and domain accounts. Username pattern analysis provides additional context for accounts that don't match specific SID patterns.