diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json index 557fa1f4c4..309c57ecf4 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json @@ -28,7 +28,7 @@ "displayName": "M365 Defender Network Sessions", "category": "Security", "FunctionAlias": "ASimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listening', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents =\n DeviceNetworkEvents | where not(disabled)\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-rename\n NetworkProtocol = Protocol,\n DvcFQDN = DeviceName\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DvcFQDN,\".\"),\n SplitUrl = split(RemoteUrl,\".\")\n | extend \n DvcHostname = SplitHostname[0],\n DvcDomain = strcat_array(array_slice(SplitHostname, 1, -1), '.'),\n UrlHostname = SplitUrl[0],\n UrlDomain = strcat_array(array_slice(SplitUrl, 1, -1), '.'),\n SrcDomainType = \"FQDN\",\n DvcDomainType = \"FQDN\",\n DstDomainType = \"FQDN\",\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n ;\n let OutboundNetworkEvents = \n RawNetworkEvents\n | lookup DirectionLookup on ActionType\n | where Outbound\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = tostring(UrlHostname)\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = RemoteUrl\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents\n | lookup DirectionLookup on ActionType\n | where not(Outbound)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID'\n | project-rename\n SrcHostname = UrlHostname,\n SrcDomain = UrlDomain,\n SrcFQDN = RemoteUrl\n | extend \n DstHostname = tostring(DvcHostname),\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | extend // aliases\n Hostname = DstHostname,\n IpAddr = SrcIpAddr \n };\n M365Defender(disabled)\n", + "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listening', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents =\n DeviceNetworkEvents | where not(disabled)\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-rename\n NetworkProtocol = Protocol,\n DvcFQDN = DeviceName\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DvcFQDN,\".\"),\n SplitUrl = split(RemoteUrl,\".\")\n | extend \n DvcHostname = SplitHostname[0],\n DvcDomain = strcat_array(array_slice(SplitHostname, 1, -1), '.'),\n UrlHostname = SplitUrl[0],\n UrlDomain = strcat_array(array_slice(SplitUrl, 1, -1), '.'),\n SrcDomainType = \"FQDN\",\n DvcDomainType = \"FQDN\",\n DstDomainType = \"FQDN\",\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n ;\n let OutboundNetworkEvents = \n RawNetworkEvents\n | lookup DirectionLookup on ActionType\n | where Outbound\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = tostring(UrlHostname)\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = RemoteUrl\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents\n | lookup DirectionLookup on ActionType\n | where not(Outbound)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID'\n | project-rename\n SrcHostname = UrlHostname,\n SrcDomain = UrlDomain,\n SrcFQDN = RemoteUrl\n | extend \n DstHostname = tostring(DvcHostname),\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | extend // aliases\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender(disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json index a895dd93fc..50ca176a36 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json @@ -28,7 +28,7 @@ "displayName": "ASIM Sysmon for Linux Network Session Parser", "category": "Security", "FunctionAlias": "ASimNetworkSessionLinuxSysmon", - "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ;\n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr\n ;\n SysmonForLinuxNetwork", + "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json index d0876de80f..5228d823a8 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json @@ -28,7 +28,7 @@ "displayName": "ASIM Network Sessions Parser for Microsoft Defender for IoT - Endpoint", "category": "Security", "FunctionAlias": "ASimNetworkSessionMD4IoT", - "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr\n;\nNetworkSessionMD4IoT\n", + "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nNetworkSessionMD4IoT\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json index c52ed42d16..3f2d9f3cb5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -28,7 +28,7 @@ "displayName": "Microsoft Windows Event Firewall Network Sessions", "category": "Security", "FunctionAlias": "ASimNetworkSessionMicrosoftWindowsEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\n// will be extracting Event specific fields from 'EventData' field\nlet SecurityEvent_5152 = \n SecurityEvent | where not(disabled)\n | where EventID==5152\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*;\nlet SecurityEvent_5154_5155_5158_5159 =\nSecurityEvent | where not(disabled)\n| where EventID in (5154, 5155, 5158, 5159)\n| parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'Protocol''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n| extend DirectionCode = \"%%14609\";\nlet SecurityEvent_5156_5157 =\n SecurityEvent | where not(disabled)\n | where EventID in (5156, 5157)\n | parse EventData with * ''ProcessID:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\nunion SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcIpAddr = iff(isOutBound, DestAddress, SourceAddress),\n DstIpAddr = iff(not(isOutBound), SourceAddress, DestAddress),\n SrcHostId = iff(isOutBound, RemoteMachineID, \"\"),\n DstHostId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcPortNumber = iff(isOutBound, toint(DestPort), toint(SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(SourcePort), toint(DestPort)),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\")\n};\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet WindowsFirewall_WindowsEvent=(){ \n WindowsEvent | where not(disabled)\n | where EventID between (5150 .. 5159)\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = tostring(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = iff(isOutBound, tostring(EventData.DestAddress), tostring(EventData.SourceAddress)),\n DstIpAddr = iff(not(isOutBound), tostring(EventData.SourceAddress), tostring(EventData.DestAddress)),\n SrcHostId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstHostId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = iff(isOutBound, toint(EventData.DestPort), toint(EventData.SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(EventData.SourcePort), toint(EventData.DestPort)),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\")\n | project-away EventData\n };\n// Main query -> outputs both schemas as one normalized table\nunion WindowsFirewall_SecurityEvent, WindowsFirewall_WindowsEvent\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n DstUserType = \"SID\",\n SrcAppType = \"Process\",\n SrcUserType = \"SID\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"WindowsFirewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventOriginalUid = EventOriginId,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n | project-rename DvcHostname = Computer\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\n// will be extracting Event specific fields from 'EventData' field\nlet SecurityEvent_5152 = \n SecurityEvent | where not(disabled)\n | where EventID==5152\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*;\nlet SecurityEvent_5154_5155_5158_5159 =\nSecurityEvent | where not(disabled)\n| where EventID in (5154, 5155, 5158, 5159)\n| parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'Protocol''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n| extend DirectionCode = \"%%14609\";\nlet SecurityEvent_5156_5157 =\n SecurityEvent | where not(disabled)\n | where EventID in (5156, 5157)\n | parse EventData with * ''ProcessID:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\nunion SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcIpAddr = iff(isOutBound, DestAddress, SourceAddress),\n DstIpAddr = iff(not(isOutBound), SourceAddress, DestAddress),\n SrcHostId = iff(isOutBound, RemoteMachineID, \"\"),\n DstHostId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcPortNumber = iff(isOutBound, toint(DestPort), toint(SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(SourcePort), toint(DestPort)),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n};\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet WindowsFirewall_WindowsEvent=(){ \n WindowsEvent | where not(disabled)\n | where EventID between (5150 .. 5159)\n | project-rename DvcHostname = Computer\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = tostring(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = iff(isOutBound, tostring(EventData.DestAddress), tostring(EventData.SourceAddress)),\n DstIpAddr = iff(not(isOutBound), tostring(EventData.SourceAddress), tostring(EventData.DestAddress)),\n SrcHostId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstHostId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = iff(isOutBound, toint(EventData.DestPort), toint(EventData.SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(EventData.SourcePort), toint(EventData.DestPort)),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n };\n// Main query -> outputs both schemas as one normalized table\nunion WindowsFirewall_SecurityEvent, WindowsFirewall_WindowsEvent\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n DstUserType = \"SID\",\n SrcAppType = \"Process\",\n SrcUserType = \"SID\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"WindowsFirewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventOriginalUid = EventOriginId,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n // aliases\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-rename DvcHostname = Computer\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimWebSession/ASimWebSession.json b/Parsers/ASimNetworkSession/ARM/ASimWebSession/ASimWebSession.json index 4cc5c09b1e..d0e15c8bdb 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimWebSession/ASimWebSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimWebSession/ASimWebSession.json @@ -28,7 +28,7 @@ "displayName": "Source Agnostic Web Sessions parser", "category": "Security", "FunctionAlias": "ASimWebSessions", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric", "version": 1 } } diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkNotables/imNetworkNotables.json b/Parsers/ASimNetworkSession/ARM/imNetworkNotables/imNetworkNotables.json index 6fcf261dc3..f2751662f1 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkNotables/imNetworkNotables.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkNotables/imNetworkNotables.json @@ -28,7 +28,7 @@ "displayName": "Source Agnostic Network Notables parser", "category": "Security", "FunctionAlias": "imNetworkNotables", - "query": "let NetworkNotablesGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nNetworkNotablesGeneric", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkNotables') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkNotables' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkNotablesGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nNetworkNotablesGeneric", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])" } diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index d885f1d22d..e68c3c0f87 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -28,7 +28,7 @@ "displayName": "Source Agnostic Network Session parser", "category": "Security", "FunctionAlias": "imNetworkSession", - "query": "let NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n};\nNetworkSessionsGeneric", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n};\nNetworkSessionsGeneric", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])" } diff --git a/Parsers/ASimNetworkSession/ARM/imWebSession/imWebSession.json b/Parsers/ASimNetworkSession/ARM/imWebSession/imWebSession.json index bc099cf4bb..3fe56bf786 100644 --- a/Parsers/ASimNetworkSession/ARM/imWebSession/imWebSession.json +++ b/Parsers/ASimNetworkSession/ARM/imWebSession/imWebSession.json @@ -28,7 +28,7 @@ "displayName": "Source Agnostic Web Sessions parser", "category": "Security", "FunctionAlias": "imWebSessions", - "query": "let WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json index 020258c214..71e33ab17e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json @@ -28,7 +28,7 @@ "displayName": "M365 Defender Network Sessions", "category": "Security", "FunctionAlias": "vimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , url_has_any:dynamic=dynamic([])\n , httpuseragent_has_any:dynamic=dynamic([])\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listening', false \n];\n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents =\n DeviceNetworkEvents | where not(disabled)\n // *************** Prefilterring *****************************************************************\n |where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort) \n and (array_length(url_has_any)==0 or RemoteUrl has_any (url_has_any)) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteIP,srcipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalIP ,srcipaddr_has_any_ipv4_prefix)\n )\n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteIP,dstipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalIP ,dstipaddr_has_any_ipv4_prefix)\n )\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n ) \n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n // *************** Prefilterring *****************************************************************\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-rename\n NetworkProtocol = Protocol,\n DvcFQDN = DeviceName\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DvcFQDN,\".\"),\n SplitUrl = split(RemoteUrl,\".\")\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = strcat_array(array_slice(SplitHostname, 1, -1), '.'),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = strcat_array(array_slice(SplitUrl, 1, -1), '.'),\n SrcDomainType = \"FQDN\",\n DvcDomainType = \"FQDN\",\n DstDomainType = \"FQDN\",\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n;\nlet OutboundNetworkEvents = \n RawNetworkEvents\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n and (array_length(hostname_has_any)==0 or UrlHostname has_any (hostname_has_any))\n // *************** /Postfilterring *****************************************************************\n | lookup DirectionLookup on ActionType\n | where Outbound\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = RemoteUrl\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n and (array_length(hostname_has_any)==0 or DvcHostname has_any (hostname_has_any))\n // *************** /Postfilterring *****************************************************************\n | lookup DirectionLookup on ActionType\n | where not(Outbound)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID'\n | project-rename\n SrcHostname = UrlHostname,\n SrcDomain = UrlDomain,\n SrcFQDN = RemoteUrl\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| extend // aliases\n Hostname = DstHostname,\n IpAddr = SrcIpAddr \n};\nM365Defender(starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)", + "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , url_has_any:dynamic=dynamic([])\n , httpuseragent_has_any:dynamic=dynamic([])\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listening', false \n];\n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents =\n DeviceNetworkEvents | where not(disabled)\n // *************** Prefilterring *****************************************************************\n |where (isnull(starttime) or TimeGenerated>=starttime) \n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(endtime) or TimeGenerated<=endtime) \n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort) \n and (array_length(url_has_any)==0 or RemoteUrl has_any (url_has_any)) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteIP,srcipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalIP ,srcipaddr_has_any_ipv4_prefix)\n )\n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteIP,dstipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalIP ,dstipaddr_has_any_ipv4_prefix)\n )\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n ) \n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-rename\n NetworkProtocol = Protocol,\n DvcFQDN = DeviceName\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DvcFQDN,\".\"),\n SplitUrl = split(RemoteUrl,\".\")\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = strcat_array(array_slice(SplitHostname, 1, -1), '.'),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = strcat_array(array_slice(SplitUrl, 1, -1), '.'),\n SrcDomainType = \"FQDN\",\n DvcDomainType = \"FQDN\",\n DstDomainType = \"FQDN\",\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n;\nlet OutboundNetworkEvents = \n RawNetworkEvents\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n and (array_length(hostname_has_any)==0 or UrlHostname has_any (hostname_has_any))\n // *************** /Postfilterring *****************************************************************\n | lookup DirectionLookup on ActionType\n | where Outbound\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = RemoteUrl\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n and (array_length(hostname_has_any)==0 or DvcHostname has_any (hostname_has_any))\n // *************** /Postfilterring *****************************************************************\n | lookup DirectionLookup on ActionType\n | where not(Outbound)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID'\n | project-rename\n SrcHostname = UrlHostname,\n SrcDomain = UrlDomain,\n SrcFQDN = RemoteUrl\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| extend // aliases\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender(starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json index c922233fde..07c82e1ff6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json @@ -28,7 +28,7 @@ "displayName": "ASIM Sysmon for Linux Network Session Parser", "category": "Security", "FunctionAlias": "vimNetworkSessionLinuxSysmon", - "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SyslogMessage,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SyslogMessage,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(url_has_any)==0)\n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_ipv4_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where \n (array_length(dstipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(DstIpAddr, dstipaddr_has_any_ipv4_prefix))\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_ipv4_prefix))\n and (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where \n (array_length(dstipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(DstIpAddr, dstipaddr_has_any_ipv4_prefix))\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_ipv4_prefix))\n and (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ;\n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr\n ;\n SysmonForLinuxNetwork ", + "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n // *************** Prefilterring *****************************************************************\n | where (eventresult=='*' or eventresult=='Success')\n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(url_has_any)==0)\n and (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SyslogMessage,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SyslogMessage,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_ipv4_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where \n (array_length(dstipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(DstIpAddr, dstipaddr_has_any_ipv4_prefix))\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_ipv4_prefix))\n and (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where \n (array_length(dstipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(DstIpAddr, dstipaddr_has_any_ipv4_prefix))\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_ipv4_prefix))\n and (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ;\n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork ", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json index badd3efdc7..73dde6c321 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json @@ -28,7 +28,7 @@ "displayName": "ASIM Network Sessions Parser for Microsoft Defender for IoT - Endpoint", "category": "Security", "FunctionAlias": "vimNetworkSessionMD4IoT", - "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n // *************** Prefilterring *****************************************************************\n |where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteAddress,srcipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalAddress ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteAddress,dstipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalAddress ,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(url_has_any)==0)\n and (array_length(hostname_has_any)==0) \n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n // *************** Prefilterring *****************************************************************\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n ;\n let parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n }\n ; \n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n // *************** Postfilterring *****************************************************************\n | where (array_length(dstipaddr_has_any_ipv4_prefix)==0 or RemoteAddress==dstipaddr_has_any_ipv4_prefix) and\n (array_length(srcipaddr_has_any_ipv4_prefix)==0 or LocalAddress ==srcipaddr_has_any_ipv4_prefix) and\n (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n // *************** Postfilterring *****************************************************************\n | where (array_length(srcipaddr_has_any_ipv4_prefix)==0 or RemoteAddress==srcipaddr_has_any_ipv4_prefix) and\n (array_length(dstipaddr_has_any_ipv4_prefix)==0 or LocalAddress ==dstipaddr_has_any_ipv4_prefix) and\n (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr\n ;\n NetworkSessionMD4IoT\n", + "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n // *************** Prefilterring *****************************************************************\n |where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(url_has_any)==0)\n and (array_length(hostname_has_any)==0) \n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteAddress,srcipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalAddress ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(RemoteAddress,dstipaddr_has_any_ipv4_prefix)\n or has_any_ipv4_prefix(LocalAddress ,dstipaddr_has_any_ipv4_prefix)\n ) \n // *************** Prefilterring *****************************************************************\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n ;\n let parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n }\n ; \n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n // *************** Postfilterring *****************************************************************\n | where (array_length(dstipaddr_has_any_ipv4_prefix)==0 or RemoteAddress==dstipaddr_has_any_ipv4_prefix) and\n (array_length(srcipaddr_has_any_ipv4_prefix)==0 or LocalAddress ==srcipaddr_has_any_ipv4_prefix) and\n (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n // *************** Postfilterring *****************************************************************\n | where (array_length(srcipaddr_has_any_ipv4_prefix)==0 or RemoteAddress==srcipaddr_has_any_ipv4_prefix) and\n (array_length(dstipaddr_has_any_ipv4_prefix)==0 or LocalAddress ==dstipaddr_has_any_ipv4_prefix) and\n (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n NetworkSessionMD4IoT\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json index 0b7d216491..b43d743d6f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -28,7 +28,7 @@ "displayName": "Microsoft Windows Event Firewall Network Sessions", "category": "Security", "FunctionAlias": "vimNetworkSessionMicrosoftWindowsEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet WindowsFirewall_SecurityEvent=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , url_has_any:dynamic=dynamic([])\n , httpuseragent_has_any:dynamic=dynamic([])\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , disabled:bool=false\n )\n { \n // Event IDs between (5151 .. 5159)\n // will be extracting Event specific fields from 'EventData' field\n let SecurityEvent_5152 = \n SecurityEvent | where not(disabled)\n | where EventID==5152\n // *************** Prefilterring *****************************************************************\n |where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) \n and (array_length(url_has_any)==0)\n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(hostname_has_any)==0 )\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n ;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEvent | where not(disabled)\n | where EventID in (5154, 5155, 5158, 5159)\n // *************** Prefilterring *****************************************************************\n |where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID in (5154,5158)) \n or (dvcaction=='Deny' and EventID !in (5154,5158))\n ) \n and (array_length(url_has_any)==0)\n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(dstportnumber) ) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'SourceAddress:string''\n '\\x0d\\x0a 'SourcePort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n ;\n let SecurityEvent_5156_5157 =\n SecurityEvent | where not(disabled)\n | where EventID in (5156, 5157)\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,srcipaddr_has_any_ipv4_prefix)\n )\n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,dstipaddr_has_any_ipv4_prefix)\n )\n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID == 5156) \n or (dvcaction=='Deny' and EventID <> 5156)\n )\n and (array_length(url_has_any)==0 )\n and (isnull(httpuseragent_has_any) )\n and (array_length(hostname_has_any)==0 ) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessID:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcIpAddr = iff(isOutBound, DestAddress, SourceAddress),\n DstIpAddr = iff(not(isOutBound), SourceAddress, DestAddress),\n SrcHostId = iff(isOutBound, RemoteMachineID, \"\"),\n DstHostId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcPortNumber = iff(isOutBound, toint(DestPort), toint(SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(SourcePort), toint(DestPort)),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\")\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DestPort == dstportnumber ) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(DstIpAddr,dstipaddr_has_any_ipv4_prefix)\n ) \n // *************** / Postfilterring *****************************************************************\n };\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet WindowsFirewall_WindowsEvent=(starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null)\n, url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([])\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), disabled:bool=false\n ){ \n WindowsEvent | where not(disabled)\n | where EventID between (5150 .. 5159)\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (isnull(dstportnumber) or EventData has tostring(dstportnumber)) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(httpuseragent_has_any) ) \n and (array_length(url_has_any)==0 )\n and (array_length(dvcaction)==0 ) \n // *************** Prefilterring *****************************************************************\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = tostring(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = iff(isOutBound, tostring(EventData.DestAddress), tostring(EventData.SourceAddress)),\n DstIpAddr = iff(not(isOutBound), tostring(EventData.SourceAddress), tostring(EventData.DestAddress)),\n SrcHostId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstHostId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = iff(isOutBound, toint(EventData.DestPort), toint(EventData.SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(EventData.SourcePort), toint(EventData.DestPort)),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\")\n | project-away EventData\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber ) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(DstIpAddr,dstipaddr_has_any_ipv4_prefix)\n ) \n // *************** / Postfilterring *****************************************************************\n };\n// Main query -> outputs both schemas as one normalized table\nunion isfuzzy=true\n WindowsFirewall_SecurityEvent (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n DstUserType = \"SID\",\n SrcAppType = \"Process\",\n SrcUserType = \"SID\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"WindowsFirewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventOriginalUid = EventOriginId,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n | project-rename DvcHostname = Computer\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet WindowsFirewall_SecurityEvent=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , url_has_any:dynamic=dynamic([])\n , httpuseragent_has_any:dynamic=dynamic([])\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n )\n { \n // Event IDs between (5151 .. 5159)\n // will be extracting Event specific fields from 'EventData' field\n let SecurityEvent_5152 = \n SecurityEvent | where not(disabled)\n | where EventID==5152\n | extend EventResult = \"Failure\"\n // *************** Prefilterring *****************************************************************\n |where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) \n and (array_length(url_has_any)==0)\n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or eventresult=='Failure')\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n ;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEvent | where not(disabled)\n | where EventID in (5154, 5155, 5158, 5159)\n // *************** Prefilterring *****************************************************************\n |where (array_length(dstipaddr_has_any_ipv4_prefix)==0 ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(dstportnumber) ) \n and (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID in (5154,5158)) \n or (dvcaction=='Deny' and EventID !in (5154,5158))\n ) \n and (array_length(url_has_any)==0)\n and (array_length(httpuseragent_has_any) ==0) // if filtering by ua - return nothing\n | extend EventResult = iff(EventID in (5154, 5158), \"Success\", \"Failure\")\n | extend (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'SourceAddress:string''\n '\\x0d\\x0a 'SourcePort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n ;\n let SecurityEvent_5156_5157 =\n SecurityEvent | where not(disabled)\n | where EventID in (5156, 5157)\n | extend EventResult = iff(EventID == 5156, \"Success\", \"Failure\")\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,srcipaddr_has_any_ipv4_prefix)\n )\n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData ,dstipaddr_has_any_ipv4_prefix)\n )\n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID == 5156) \n or (dvcaction=='Deny' and EventID <> 5156)\n )\n and (array_length(url_has_any)==0 )\n and (isnull(httpuseragent_has_any) )\n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or EventResult==eventresult) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessID:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SourceAddress''\n '\\x0d\\x0a 'SourcePort''\n '\\x0d\\x0a 'DestAddress''\n '\\x0d\\x0a 'DestPort:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcIpAddr = iff(isOutBound, DestAddress, SourceAddress),\n DstIpAddr = iff(not(isOutBound), SourceAddress, DestAddress),\n SrcHostId = iff(isOutBound, RemoteMachineID, \"\"),\n DstHostId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcPortNumber = iff(isOutBound, toint(DestPort), toint(SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(SourcePort), toint(DestPort)),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\")\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DestPort == dstportnumber ) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(DstIpAddr,dstipaddr_has_any_ipv4_prefix)\n ) \n // *************** / Postfilterring *****************************************************************\n };\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet WindowsFirewall_WindowsEvent=(starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null)\n, url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([])\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\n ){ \n WindowsEvent | where not(disabled)\n | where EventID between (5150 .. 5159)\n | extend EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\")\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and (isnull(dstportnumber) or EventData has tostring(dstportnumber)) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(EventData,dstipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(httpuseragent_has_any))\n and (array_length(url_has_any)==0 )\n and (array_length(dvcaction)==0 ) \n and (eventresult=='*' or EventResult==eventresult)\n // *************** Prefilterring *****************************************************************\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = tostring(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = iff(isOutBound, tostring(EventData.DestAddress), tostring(EventData.SourceAddress)),\n DstIpAddr = iff(not(isOutBound), tostring(EventData.SourceAddress), tostring(EventData.DestAddress)),\n SrcHostId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstHostId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = iff(isOutBound, toint(EventData.DestPort), toint(EventData.SourcePort)),\n DstPortNumber = iff(not(isOutBound), toint(EventData.SourcePort), toint(EventData.DestPort)),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\")\n | project-away EventData\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber ) \n and (array_length(srcipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr ,srcipaddr_has_any_ipv4_prefix)\n ) \n and (array_length(dstipaddr_has_any_ipv4_prefix)==0 \n or has_any_ipv4_prefix(DstIpAddr,dstipaddr_has_any_ipv4_prefix)\n ) \n // *************** / Postfilterring *****************************************************************\n };\n// Main query -> outputs both schemas as one normalized table\nunion isfuzzy=true\n WindowsFirewall_SecurityEvent (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n DstUserType = \"SID\",\n SrcAppType = \"Process\",\n SrcUserType = \"SID\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"WindowsFirewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventOriginalUid = EventOriginId,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n | project-rename DvcHostname = Computer\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol", "version": 1, "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), disabled:bool=False" }