CTERA Syslog connector for Microsoft Sentinel
The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution. It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations. It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity. Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Syslog |
| Data collection rules support | Workspace transform DCR |
| Supported by | CTERA |
Query samples
Query to find all denied operations.
Syslog
| where ProcessName == 'gw-audit'
| extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
|]*)", 1, SyslogMessage)
| extend Permission = extract("(op=[^
|]*)", 1, SyslogMessage)
| where Permission matches regex @"(?i).*denied.*"
| summarize Count = count() by Permission
Query to find all delete operations.
Syslog
| where ProcessName == 'gw-audit'
| extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
|]*)", 1, SyslogMessage)
| extend Permission = extract("(op=[^
|]*)", 1, SyslogMessage)
| where Permission == "op=delete"
| summarize Count = count() by Permission
Query to summarize operations by user.
Syslog
| where ProcessName == 'gw-audit'
| extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
|]*)", 1, SyslogMessage)
| extend Permission = extract("(op=[^
|]*)", 1, SyslogMessage)
| summarize Count = count() by UserName, Permission
Query to summarize operations by a portal tenant.
Syslog
| where ProcessName == 'gw-audit'
| extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
|]*)", 1, SyslogMessage)
| extend Permission = extract("(op=[^
|]*)", 1, SyslogMessage)
| summarize Count = count() by TenantName, Permission
Query to find operations performed by a specific user.
Syslog
| where ProcessName == 'gw-audit'
| extend TenantName = extract("(\"vportal\":\"[^\"]*\")", 1, SyslogMessage), UserName = extract("(user=[^
|]*)", 1, SyslogMessage)
| extend Permission = extract("(op=[^
|]*)", 1, SyslogMessage)
| where UserName == 'user=specific_user'
| summarize Count = count() by Permission
Vendor installation instructions
Step 1: Connect CTERA Platform to Syslog
Set up your CTERA portal syslog connection and Edge-Filer Syslog connector
Step 2: Install Azure Monitor Agent (AMA) on Syslog Server
Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.
Next steps
For more information, go to the related solution in the Azure Marketplace.