Azure-Sentinel/Solutions/KasperskySecurityCenter/Parsers/KasperskySCEvent.yaml

id: 5c69cb42-4362-4270-82a3-107fd2a89399
Function:
  Title: Parser for KasperskySCEvent
  Version: '1.0.0'
  LastUpdated: '2023-08-23'
Category: Microsoft Sentinel Parser
FunctionName: KasperskySCEvent
FunctionAlias: KasperskySCEvent
FunctionQuery: |
    CommonSecurityLog
    | where DeviceVendor =~ 'KasperskyLab'
    | extend EventVendor = 'KasperskyLab'
    | extend EventProduct = 'SecurityCenter'
    | extend EventSchemaVersion = 0.2
    | extend EventCount = 1
    | extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", long(null)),DeviceCustomNumber1),
             DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2),
             DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
    | extend ExtraAttributes = extract(@'cs7=(.*?);cs7Label', 1, AdditionalExtensions)
    | extend GroupName = extract(@'cs9=(.*?);cs9Label', 1, AdditionalExtensions)
    | extend Service = extract(@'cs10=(.*?);cs10Label', 1, AdditionalExtensions)
    | extend EventEndTime = todatetime(ReceiptTime)
    | extend ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))
    | project-rename EventProductVersion=DeviceVersion
                    , EventId=DeviceEventClassID
                    , EventSeverity=LogSeverity
                    , DstPortNumber=DestinationPort
                    , DstIpAddr=DestinationIP
                    , DstDvcHostname=DestinationHostName
                    , DstUserName=DestinationUserName
                    , DvcIpAddr=DeviceAddress
                    , DvcHostname=DeviceName
                    , NetworkApplicationProtocol=Protocol
                    , SrcPortNumber=SourcePort
                    , SrcIpAddr=SourceIP
                    , Id=ExternalID
                    , SrcDvcHostname=SourceHostName
                    , ProductName=DeviceCustomString2
                    , ProductVersion=DeviceCustomString3
    | extend ThreatName=case(EventId in~ ('GNRL_EV_VIRUS_FOUND_AND_BLOCKED', 'GNRL_EV_SUSPICIOUS_OBJECT_FOUND'), DeviceCustomString1, '')
    | extend ObjectName=case(EventId in~ ('GNRL_EV_VIRUS_FOUND_AND_BLOCKED', 'GNRL_EV_SUSPICIOUS_OBJECT_FOUND'), DeviceCustomString5, '')
    | extend DetectionType=case(EventId in~ ('GNRL_EV_VIRUS_FOUND_AND_BLOCKED', 'GNRL_EV_SUSPICIOUS_OBJECT_FOUND'), DeviceCustomString6, '')
    | extend TaskOldState=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomNumber1, todynamic(''))
    | extend TaskNewState=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomNumber2, todynamic(''))
    | extend TaskName=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomString5, '')
    | extend TaskId=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomString4, '')
    | extend EventOriginalResultDetails=Activity
    | extend ActingProcessFileProduct = extract(@'Application: (.*?)\\[rn]', 1, Message)
    | extend ActingProcessName = extract(@'Application\\Name: (.*?)\\[rn]', 1, Message)
    | extend ActingProcessId = extract(@'Process ID: (\d+)\\[rn]', 1, Message)
    | extend EventResult = extract(@'Result\\\\Description: (\w+)\\[rn]', 1, Message)
    | extend PossibleImpact = extract(@'Result\\\\Type: (.*?)\\[rn]', 1, Message)
    | extend ThreatLevel = extract(@'Threat level: (.*?)\\[rn]', 1, Message)
    | extend ResultPrecision = extract(@'Result\\\\Precision: (\w+)\\[rn]', 1, Message)
    | extend Object = extract(@'Object: (.*?)\\[rn]', 1, Message)
    | extend ObjectType = extract(@'Object\\\\Type: (.*?)\\[rn]', 1, Message)
    | extend ObjectPath = extract(@'Object\\\\Path: (.*?)\\[rn]', 1, Message)
    | extend ObjectName = extract(@'Object\\\\Name: (.*?)\\[rn]', 1, Message)
    | extend EventReason = extract(@'Reason: (.*?)\\[rn]', 1, Message)
    | extend EventReason = coalesce(column_ifexists("Reason",""),EventReason)
    | extend DatabaseReleaseTime = todatetime(extract(@'Database release date: (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})', 1, replace_regex(Message, @'Database release date: (\d{2})/(\d{2})/(\d{4}) (\d{2}:\d{2}:\d{2})', @'Database release date: \3-\2-\1 \4')))
    | project-away Message
                , Activity
                , ReceiptTime
                , DeviceVendor
                , DeviceProduct
                , DeviceCustomNumber1
                , DeviceCustomNumber1Label
                , DeviceCustomNumber2
                , DeviceCustomNumber2Label
                , DeviceCustomString1
                , DeviceCustomString1Label
                , DeviceCustomString2Label
                , DeviceCustomString3Label
                , DeviceCustomString4
                , DeviceCustomString4Label
                , DeviceCustomString5
                , DeviceCustomString5Label
                , DeviceCustomString6
                , DeviceCustomString6Label
                , AdditionalExtensions
Updated the yaml files with latest parsers 2023-08-23 16:28:47 +03:00			`id: 5c69cb42-4362-4270-82a3-107fd2a89399`
Parsers txt and other files converted to Yaml format 2023-08-22 15:26:41 +03:00			`Function:`
			`Title: Parser for KasperskySCEvent`
			`Version: '1.0.0'`
Updated the yaml files with latest parsers 2023-08-23 16:28:47 +03:00			`LastUpdated: '2023-08-23'`
Parsers txt and other files converted to Yaml format 2023-08-22 15:26:41 +03:00			`Category: Microsoft Sentinel Parser`
			`FunctionName: KasperskySCEvent`
			`FunctionAlias: KasperskySCEvent`
			`FunctionQuery: \|`
			`CommonSecurityLog`
			`\| where DeviceVendor =~ 'KasperskyLab'`
			`\| extend EventVendor = 'KasperskyLab'`
			`\| extend EventProduct = 'SecurityCenter'`
			`\| extend EventSchemaVersion = 0.2`
			`\| extend EventCount = 1`
			`\| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", long(null)),DeviceCustomNumber1),`
			`DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2),`
			`DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)`
			`\| extend ExtraAttributes = extract(@'cs7=(.*?);cs7Label', 1, AdditionalExtensions)`
			`\| extend GroupName = extract(@'cs9=(.*?);cs9Label', 1, AdditionalExtensions)`
			`\| extend Service = extract(@'cs10=(.*?);cs10Label', 1, AdditionalExtensions)`
			`\| extend EventEndTime = todatetime(ReceiptTime)`
			`\| extend ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))`
			`\| project-rename EventProductVersion=DeviceVersion`
			`, EventId=DeviceEventClassID`
			`, EventSeverity=LogSeverity`
			`, DstPortNumber=DestinationPort`
			`, DstIpAddr=DestinationIP`
			`, DstDvcHostname=DestinationHostName`
			`, DstUserName=DestinationUserName`
			`, DvcIpAddr=DeviceAddress`
			`, DvcHostname=DeviceName`
			`, NetworkApplicationProtocol=Protocol`
			`, SrcPortNumber=SourcePort`
			`, SrcIpAddr=SourceIP`
			`, Id=ExternalID`
			`, SrcDvcHostname=SourceHostName`
			`, ProductName=DeviceCustomString2`
			`, ProductVersion=DeviceCustomString3`
			`\| extend ThreatName=case(EventId in~ ('GNRL_EV_VIRUS_FOUND_AND_BLOCKED', 'GNRL_EV_SUSPICIOUS_OBJECT_FOUND'), DeviceCustomString1, '')`
			`\| extend ObjectName=case(EventId in~ ('GNRL_EV_VIRUS_FOUND_AND_BLOCKED', 'GNRL_EV_SUSPICIOUS_OBJECT_FOUND'), DeviceCustomString5, '')`
			`\| extend DetectionType=case(EventId in~ ('GNRL_EV_VIRUS_FOUND_AND_BLOCKED', 'GNRL_EV_SUSPICIOUS_OBJECT_FOUND'), DeviceCustomString6, '')`
			`\| extend TaskOldState=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomNumber1, todynamic(''))`
			`\| extend TaskNewState=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomNumber2, todynamic(''))`
			`\| extend TaskName=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomString5, '')`
			`\| extend TaskId=case(EventId =~ 'KLPRCI_TaskState', DeviceCustomString4, '')`
			`\| extend EventOriginalResultDetails=Activity`
			`\| extend ActingProcessFileProduct = extract(@'Application: (.*?)\\[rn]', 1, Message)`
			`\| extend ActingProcessName = extract(@'Application\\Name: (.*?)\\[rn]', 1, Message)`
			`\| extend ActingProcessId = extract(@'Process ID: (\d+)\\[rn]', 1, Message)`
			`\| extend EventResult = extract(@'Result\\\\Description: (\w+)\\[rn]', 1, Message)`
			`\| extend PossibleImpact = extract(@'Result\\\\Type: (.*?)\\[rn]', 1, Message)`
			`\| extend ThreatLevel = extract(@'Threat level: (.*?)\\[rn]', 1, Message)`
			`\| extend ResultPrecision = extract(@'Result\\\\Precision: (\w+)\\[rn]', 1, Message)`
			`\| extend Object = extract(@'Object: (.*?)\\[rn]', 1, Message)`
			`\| extend ObjectType = extract(@'Object\\\\Type: (.*?)\\[rn]', 1, Message)`
			`\| extend ObjectPath = extract(@'Object\\\\Path: (.*?)\\[rn]', 1, Message)`
			`\| extend ObjectName = extract(@'Object\\\\Name: (.*?)\\[rn]', 1, Message)`
			`\| extend EventReason = extract(@'Reason: (.*?)\\[rn]', 1, Message)`
			`\| extend EventReason = coalesce(column_ifexists("Reason",""),EventReason)`
			`\| extend DatabaseReleaseTime = todatetime(extract(@'Database release date: (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})', 1, replace_regex(Message, @'Database release date: (\d{2})/(\d{2})/(\d{4}) (\d{2}:\d{2}:\d{2})', @'Database release date: \3-\2-\1 \4')))`
			`\| project-away Message`
			`, Activity`
			`, ReceiptTime`
			`, DeviceVendor`
			`, DeviceProduct`
			`, DeviceCustomNumber1`
			`, DeviceCustomNumber1Label`
			`, DeviceCustomNumber2`
			`, DeviceCustomNumber2Label`
			`, DeviceCustomString1`
			`, DeviceCustomString1Label`
			`, DeviceCustomString2Label`
			`, DeviceCustomString3Label`
			`, DeviceCustomString4`
			`, DeviceCustomString4Label`
			`, DeviceCustomString5`
			`, DeviceCustomString5Label`
			`, DeviceCustomString6`
			`, DeviceCustomString6Label`
			`, AdditionalExtensions`