zScaler ASIM network parser

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionzScalerZIA.yaml

@@ -16,6 +16,8 @@ References:
   Link: https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#zscaler
 - Title: zScaler Sentinel deployment guide
   Link: https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide
+- Title: zScaler ZIA Firewall fields description
+  Link: https://help.zscaler.com/zia/firewall-insights-logs-filters
 Description: |
   This ASIM parser supports normalizing zScaler ZIA proxy logs produced by the Azure Sentinel zScaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
 ParserName: ASimNetworkSessionzScalerZIA
@@ -24,83 +26,69 @@ ParserParams:
     Type: bool
     Default: false
 ParserQuery: |
+  let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [
+    // See https://help.zscaler.com/zia/firewall-insights-logs-filters
+    'Allow','Allow',
+    'Allow due to insufficient app data','Allow',
+    'Block/Drop','Drop',
+    'Block/ICMP','Drop ICMP',
+    'Block/Reset', 'Reset',
+    'IPS Drop', 'Drop',
+    'IPS Reset', 'Reset'
+  ];
   let parser=(disabled:bool=false){
   CommonSecurityLog | where not(disabled)
   | where DeviceVendor == "Zscaler"
   | where DeviceProduct == "NSSFWlog"
   // Event fields
   | extend 
-    EventCount=int(1), // There is aggregation
-    EventStartTime=TimeGenerated,  
-    EventVendor = "zScaler", // OK
-    EventProduct = "ZIA", // OK
-    EventSchema = "NetworkSession", // OK
-    EventSchemaVersion="0.2.1", // OK
-    EventType = 'NetworkSession', // OK
-    EventEndTime=TimeGenerated
+    EventCount=DeviceCustomNumber1, 
+    EventStartTime=TimeGenerated, 
+    EventVendor = "zScaler", 
+    EventProduct = "ZIA", 
+    EventSchema = "NetworkSession", 
+    EventSchemaVersion="0.2.1", 
+    EventType = 'NetworkSession', 
+    EventEndTime=TimeGenerated 
   | project-rename
-    DvcAction = DeviceAction,
-    DvcHostname = Computer, // OK
-    EventProductVersion = DeviceVersion, // OK
-    NetworkProtocol = Protocol, // OK
-    NetworkApplicationProtocol = ApplicationProtocol,
-    HttpContentType = FileType,
-    HttpUserAgent = RequestClientApplication,
-    HttpRequestMethod = RequestMethod,
-    DstAppName = DestinationServiceName,
-    DstIpAddr = DestinationIP, // OK
-    DstPortNumber = DestinationPort, // OK
-    DstFQDN = DestinationHostName,
-    DstBytes = ReceivedBytes, // OK
-    SrcIpAddr = SourceIP, // OK
-    SrcPortNumber = SourcePort, // OK
-    SrcUsername = SourceUserName,
-    SrcNatIpAddr= SourceTranslatedAddress,
-    SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema
-    SrcBytes = SentBytes, // OK
-    ThreatRiskLevel = DeviceCustomNumber1,
-    UrlCategory = DeviceCustomString2,
-    ThreatName = DeviceCustomString5,
-    FileMD5 = DeviceCustomString6,
-    RuleName = Activity // OK
-  // -- Parse
-  | parse AdditionalExtensions with 
-      "reason=" EventResultOriginalDetails:string ";"
-      "outcome=" EventResultDetails:int ";"
-      "cat=" * ";"
-      "rulelabel=" RuleName:string ";"
-      "ruletype=" ruletype:string ";"
-      "urlclass=" urlclass:string ";"
-      "devicemodel=" * 
+    DvcOriginalAction = DeviceAction, 
+    DvcHostname = Computer, 
+    EventProductVersion = DeviceVersion, 
+    NetworkProtocol = Protocol, 
+    DstIpAddr = DestinationIP, 
+    DstPortNumber = DestinationPort, 
+    DstNatIpAddr = DestinationTranslatedAddress, 
+    DstNatPortNumber = DestinationTranslatedPort, 
+    DstBytes = ReceivedBytes, 
+    DstAppName = DeviceCustomString3, 
+    NetworkApplicationProtocol = DeviceCustomString2, 
+    SrcIpAddr = SourceIP, 
+    SrcPortNumber = SourcePort, 
+    SrcUsername = SourceUserName, // ?? Open question to zScaler - sometimes seems to include the location.
+    SrcNatIpAddr= SourceTranslatedAddress, 
+    SrcNatPortNumber = SourceTranslatedPort, 
+    SrcUserDepartment = DeviceCustomString1,  // Not in standard schema
+    SrcUserLocation = SourceUserPrivileges,  // Not in standard schema
+    SrcBytes = SentBytes, 
+    NetworkDuration = DeviceCustomNumber1, 
+    ThreatName = DeviceCustomString6, 
+    ThreatCategory = DeviceCustomString5, 
+    RuleName = Activity 
   // -- Calculated fields
+  | lookup ActionLookup on DvcOriginalAction 
   | extend
-    Url = iff (RequestURL == "", "", strcat (tolower(NetworkApplicationProtocol), "://", url_decode(RequestURL))),
-    UrlCategory = strcat (urlclass, "/", UrlCategory),
-    ThreatCategory = iff(DeviceCustomString4 == "None", "", strcat (DeviceCustomString3, "/", DeviceCustomString4)),
-    RuleName = iff (RuleName == "None", "", strcat (ruletype, "/", RuleName)),
-    FileMD5 = iff (FileMD5 == "None", "", FileMD5),
-    HttpReferrer = iff (RequestContext == "None", "", url_decode(RequestContext)),
-    DstAppName = iff (DstAppName == "General Browsing", "", DstAppName),
-    DstFQDNparts = split (DstFQDN, ".")
-  | extend
-    DstHostname = DstFQDNparts[0],
-    DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),".")
+    ThreatCategory = iff(DeviceCustomString4 == "None", "", ThreatCategory) 
   // -- Enrichment
   | extend
-    EventResult = iff (EventResultDetails == "NA" or toint(EventResultDetails) >= 400, "Failure", "Success"),
-    DstAppType = "SaaS application",
-    DstFQDN = "FQDN",
-    SrcUsernameType = "UPN"
+    EventResult = iff (DvcOriginalAction == "Allow", "Success", "Failure"),  
+    DstAppType = "Service", 
+    SrcUsernameType = "UPN" 
   // -- Aliases
   | extend
     Dvc = DvcHostname,
-    UserAgent = HttpUserAgent,
     User = SrcUsername,
-    HttpStatusCode = EventResultDetails,
-    IpAddr = SrcNatIpAddr,
-    Hash = FileMD5,
-    FileHashType = iff(FileMD5 == "", "", "MD5")
+    IpAddr = SrcIpAddr
   | project-away 
-    DstFQDNparts, AdditionalExtensions, DeviceCustom*
+    DeviceCustom*
   };
   parser (disabled)