Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3701 from Azure:dev/normalization/proxy-parsers 

Dev/normalization/proxy parsers
This commit is contained in:
Ofer Shezaf 2021-12-16 10:35:08 +02:00 коммит произвёл GitHub
Родитель 9bd3b8800a ac7176201f
Коммит 0b3bdd54bc
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
9 изменённых файлов: 720 добавлений и 16 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

93
Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionzScalerZIA.yaml Normal file
Просмотреть файл

@ -0,0 +1,93 @@
Parser:
Title: Network Session ASIM parser for Zscaler ZIA
Version: '0.1'
LastUpdated: Dec 8, 2021
Product:
Name: Zscaler ZIA
Normalization:
Schema: NetworkSession
Version: '0.2.1'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Zscaler Connector
Link: https://docs.microsoft.com/azure/sentinel/data-connectors-reference#zscaler
- Title: Zscaler Sentinel deployment guide
Link: https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide
Description: |
This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
ParserName: ASimNetworkSessionZscalerZIA
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [
// See https://help.zscaler.com/zia/firewall-insights-logs-filters
'Allow','Allow',
'Allow due to insufficient app data','Allow',
'Block/Drop','Drop',
'Block/ICMP','Drop ICMP',
'Block/Reset', 'Reset',
'IPS Drop', 'Drop',
'IPS Reset', 'Reset'
];
let parser=(disabled:bool=false){
CommonSecurityLog | where not(disabled)
| where DeviceVendor == "Zscaler"
| where DeviceProduct == "NSSFWlog"
// Event fields
| extend
EventCount=DeviceCustomNumber1,
EventStartTime=TimeGenerated,
EventVendor = "Zscaler",
EventProduct = "ZIA",
EventSchema = "NetworkSession",
EventSchemaVersion="0.2.1",
EventType = 'NetworkSession',
EventEndTime=TimeGenerated
| project-rename
DvcOriginalAction = DeviceAction,
DvcHostname = Computer,
EventProductVersion = DeviceVersion,
NetworkProtocol = Protocol,
DstIpAddr = DestinationIP,
DstPortNumber = DestinationPort,
DstNatIpAddr = DestinationTranslatedAddress,
DstNatPortNumber = DestinationTranslatedPort,
DstBytes = ReceivedBytes,
DstAppName = DeviceCustomString3,
NetworkApplicationProtocol = DeviceCustomString2,
SrcIpAddr = SourceIP,
SrcPortNumber = SourcePort,
SrcUsername = SourceUserName,
SrcNatIpAddr= SourceTranslatedAddress,
SrcNatPortNumber = SourceTranslatedPort,
SrcUserDepartment = DeviceCustomString1, // Not in standard schema
SrcUserLocation = SourceUserPrivileges, // Not in standard schema
SrcBytes = SentBytes,
NetworkDuration = DeviceCustomNumber1,
ThreatName = DeviceCustomString6,
ThreatCategory = DeviceCustomString5,
RuleName = Activity
// -- Calculated fields
| lookup ActionLookup on DvcOriginalAction
| extend
ThreatCategory = iff(DeviceCustomString4 == "None", "", ThreatCategory),
SrcUsername = iff (SrcUsername == SrcUserLocation, "", SrcUsername)
// -- Enrichment
| extend
EventResult = iff (DvcOriginalAction == "Allow", "Success", "Failure"),
DstAppType = "Service",
SrcUsernameType = "UPN"
// -- Aliases
| extend
Dvc = DvcHostname,
User = SrcUsername,
IpAddr = SrcIpAddr
| project-away
DeviceCustom*
};
parser (disabled)

136
Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionzScalerZIA.yaml Normal file
Просмотреть файл

@ -0,0 +1,136 @@
Parser:
Title: Network Session ASIM filtering parser for Zscaler ZIA
Version: '0.1'
LastUpdated: Dec 14, 2021
Product:
Name: Zscaler ZIA
Normalization:
Schema: NetworkSession
Version: '0.2.1'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Zscaler Connector
Link: https://docs.microsoft.com/azure/sentinel/data-connectors-reference#zscaler
- Title: Zscaler Sentinel deployment guide
Link: https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide
Description: |
This ASIM parser supports filtering and normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
ParserName: vimNetworkSessionZscalerZIA
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstportnumber
Type: int
Default: int(null)
- Name: hostname_has_any
Type: dynamic
Default: dynamic([])
- Name: dvcaction
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: "'*'"
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [
// See https://help.zscaler.com/zia/firewall-insights-logs-filters
'Allow','Allow',
'Allow due to insufficient app data','Allow',
'Block/Drop','Drop',
'Block/ICMP','Drop ICMP',
'Block/Reset', 'Reset',
'IPS Drop', 'Drop',
'IPS Reset', 'Reset'
];
let parser=
(starttime:datetime=datetime(null)
, endtime:datetime=datetime(null)
, srcipaddr_has_any_prefix:dynamic=dynamic([])
, dstipaddr_has_any_prefix:dynamic=dynamic([])
, dstportnumber:int=int(null)
, hostname_has_any:dynamic=dynamic([])
, dvcaction:dynamic=dynamic([])
, eventresult:string='*'
, disabled:bool=false) {
CommonSecurityLog | where not(disabled)
| where DeviceVendor == "Zscaler"
| where DeviceProduct == "NSSFWlog"
// -- Pre-filtering
|where
(array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used.
and (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and (isnull(dstportnumber) or dstportnumber == DestinationPort)
and (array_length(srcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(SourceIP ,srcipaddr_has_any_prefix))
and (array_length(dstipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(DestinationIP ,dstipaddr_has_any_prefix))
| project-rename DvcOriginalAction = DeviceAction
| lookup ActionLookup on DvcOriginalAction
| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)
| extend EventResult = iff (DvcOriginalAction == "Allow", "Success", "Failure")
| where (eventresult=='*' or EventResult == eventresult)
// -- Event fields
| extend
EventCount=DeviceCustomNumber1,
EventStartTime=TimeGenerated,
EventVendor = "Zscaler",
EventProduct = "ZIA",
EventSchema = "NetworkSession",
EventSchemaVersion="0.2.1",
EventType = 'NetworkSession',
EventEndTime=TimeGenerated
| project-rename
DvcHostname = Computer,
EventProductVersion = DeviceVersion,
NetworkProtocol = Protocol,
DstIpAddr = DestinationIP,
DstPortNumber = DestinationPort,
DstNatIpAddr = DestinationTranslatedAddress,
DstNatPortNumber = DestinationTranslatedPort,
DstBytes = ReceivedBytes,
DstAppName = DeviceCustomString3,
NetworkApplicationProtocol = DeviceCustomString2,
SrcIpAddr = SourceIP,
SrcPortNumber = SourcePort,
SrcUsername = SourceUserName,
SrcNatIpAddr= SourceTranslatedAddress,
SrcNatPortNumber = SourceTranslatedPort,
SrcUserDepartment = DeviceCustomString1, // Not in standard schema
SrcUserLocation = SourceUserPrivileges, // Not in standard schema
SrcBytes = SentBytes,
NetworkDuration = DeviceCustomNumber1,
ThreatName = DeviceCustomString6,
ThreatCategory = DeviceCustomString5,
RuleName = Activity
// -- Calculated fields
| extend
ThreatCategory = iff(DeviceCustomString4 == "None", "", ThreatCategory),
SrcUsername = iff (SrcUsername == SrcUserLocation, "", SrcUsername)
// -- Enrichment
| extend
DstAppType = "Service",
SrcUsernameType = "UPN"
// -- Aliases
| extend
Dvc = DvcHostname,
User = SrcUsername,
IpAddr = SrcIpAddr
| project-away
DeviceCustom*
};
parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, disabled)

15
Parsers/ASimWebSession/Parsers/ASimWebSession.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Source Agnostic Web Sessions parser
Title: Web Session ASIM parser
Version: '0.1'
LastUpdated: Nov 30, 2021
Product:
@ -13,13 +13,20 @@ References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
ASIM Source Agnostic Web Sessions parser
This ASIM parser supports normalizing Web Session logs from all supported sources to the ASIM DNS activity normalized schema.
ParserName: ASimWebSessions
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimWebParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(){
union isfuzzy=true
vimWebSessionEmpty
vimWebSessionEmpty,
ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ASimWebSessionSquidProxy' in (DisabledParsers))),
ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ASimWebSessionZscalerZIA' in (DisabledParsers)))
};
parser
parser
Parsers:
- vimWebSessionEmpty
- ASimWebSessionSquidProxy
- ASimWebSessionZscalerZIA

65
Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml Normal file
Просмотреть файл

@ -0,0 +1,65 @@
Parser:
Title: Web Session ASIM parser for Squid Proxy
Version: '0.1'
LastUpdated: Dec 6, 2021
Product:
Name: Squid Proxy
Normalization:
Schema: WebSession
Version: '0.1.0'
References:
- Title: ASIM Web Session Schema
Link: https://aka.ms/ASimWebSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Squid Proxy Connector
Link: https://docs.microsoft.com/azure/sentinel/data-connectors-reference#squid-proxy-preview
- Title: Squid native access log format
Link: https://wiki.squid-cache.org/Features/LogFormat
Description: |
This ASIM parser supports normalizing Squid Proxy logs produced by the Microsoft Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
ParserName: ASimWebSessionSquidProxy
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser=(disabled:bool=false){
SquidProxy_CL | where not(disabled)
| extend AccessRawLog = extract_all(@"^(\d+\.\d+)\s+(\d+)\s(\S+)\s([A-Z_]+)\/(\d+)\s(\d+)\s([A-Z]+)\s(\S+)\s(\S+)\s([A-Z_]+)\/(\S+)\s(\S+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]
| extend
EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000),
NetworkDuration = toint(AccessRawLog[1]),
SrcIpAddr = tostring(AccessRawLog[2]),
EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), ";", PeerStatus = tostring(AccessRawLog[9])),
EventResultDetails = toint(AccessRawLog[4]),
DstBytes = toint(AccessRawLog[5]),
HttpRequestMethod = tostring(AccessRawLog[6]),
Url = tostring(AccessRawLog[7]),
SrcUsername = tostring(AccessRawLog[8]),
DstIpAddr = tostring(AccessRawLog[10]),
HttpContentType = tostring(AccessRawLog[11])
// -- Constant fields
| extend
EventCount = int(1),
EventProduct = 'Squid Proxy',
EventVendor = 'Apache',
EventSchema = 'WebSession',
EventSchemaVersion = '0.1.0',
EventType = 'HTTPsession'
// -- Value normalization
| extend
UsernameType = "Unknown",
SrcUsername = iff (SrcUsername == "-", "", SrcUsername),
HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType),
EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, "Failure", "Success")
// -- aliases
| extend
EventStartTime = EventEndTime,
Duration = NetworkDuration,
HttpStatusCode = EventResultDetails,
User = SrcUsername,
IpAddr = SrcIpAddr
| project-away AccessRawLog, RawData
};
parser (disabled)

102
Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml Normal file
Просмотреть файл

@ -0,0 +1,102 @@
Parser:
Title: Web Session ASIM parser for Zscaler ZIA
Version: '0.1'
LastUpdated: Dec 7, 2021
Product:
Name: Zscaler ZIA
Normalization:
Schema: WebSession
Version: '0.1.0'
References:
- Title: ASIM Web Session Schema
Link: https://aka.ms/ASimWebSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Zscaler Connector
Link: https://docs.microsoft.com/azure/sentinel/data-connectors-reference#zscaler
- Title: Zscaler Sentinel deployment guide
Link: https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide
Description: |
This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
ParserName: ASimWebSessionZscalerZIA
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser=(disabled:bool=false){
CommonSecurityLog | where not(disabled)
| where DeviceVendor == "Zscaler"
| where DeviceProduct == "NSSWeblog"
// Event fields
| extend
EventCount=int(1),
EventStartTime=TimeGenerated,
EventVendor = "Zscaler",
EventProduct = "ZIA",
EventSchema = "WebSession",
EventSchemaVersion="0.1.0",
EventType = 'HTTPsession',
EventEndTime=TimeGenerated
| project-rename
DvcAction = DeviceAction,
DvcHostname = Computer,
EventProductVersion = DeviceVersion,
NetworkApplicationProtocol = ApplicationProtocol,
HttpContentType = FileType,
HttpUserAgent = RequestClientApplication,
HttpRequestMethod = RequestMethod,
DstAppName = DestinationServiceName,
DstIpAddr = DestinationIP,
DstFQDN = DestinationHostName,
DstBytes = ReceivedBytes,
SrcIpAddr = SourceIP,
SrcUsername = SourceUserName,
SrcNatIpAddr= SourceTranslatedAddress,
SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema
SrcBytes = SentBytes,
ThreatRiskLevel = DeviceCustomNumber1,
UrlCategory = DeviceCustomString2,
ThreatName = DeviceCustomString5,
FileMD5 = DeviceCustomString6
// -- Parse
| parse AdditionalExtensions with
"reason=" EventResultOriginalDetails:string ";"
"outcome=" EventResultDetails:int ";"
"cat=" * ";"
"rulelabel=" RuleName:string ";"
"ruletype=" ruletype:string ";"
"urlclass=" urlclass:string ";"
"devicemodel=" *
// -- Calculated fields
| extend
Url = iff (RequestURL == "", "", strcat (tolower(NetworkApplicationProtocol), "://", url_decode(RequestURL))),
UrlCategory = strcat (urlclass, "/", UrlCategory),
ThreatCategory = iff(DeviceCustomString4 == "None", "", strcat (DeviceCustomString3, "/", DeviceCustomString4)),
RuleName = iff (RuleName == "None", "", strcat (ruletype, "/", RuleName)),
FileMD5 = iff (FileMD5 == "None", "", FileMD5),
HttpReferrer = iff (RequestContext == "None", "", url_decode(RequestContext)),
DstAppName = iff (DstAppName == "General Browsing", "", DstAppName),
DstFQDNparts = split (DstFQDN, ".")
| extend
DstHostname = DstFQDNparts[0],
DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),".")
// -- Enrichment
| extend
EventResult = iff (EventResultDetails == "NA" or toint(EventResultDetails) >= 400, "Failure", "Success"),
DstAppType = "SaaS application",
DstFQDN = "FQDN",
SrcUsernameType = "UPN"
// -- Aliases
| extend
Dvc = DvcHostname,
UserAgent = HttpUserAgent,
User = SrcUsername,
HttpStatusCode = EventResultDetails,
IpAddr = SrcNatIpAddr,
Hash = FileMD5,
FileHashType = iff(FileMD5 == "", "", "MD5")
| project-away
DstFQDNparts, AdditionalExtensions, DeviceCustom*
};
parser (disabled)

53
Parsers/ASimWebSession/Parsers/imWebSession.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Source Agnostic Web Sessions parser
Title: Web Session ASIM filtering parser
Version: '0.1'
LastUpdated: Nov 30, 2021
Product:
@ -13,23 +13,56 @@ References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
ASIM parametrized source agnostic Web Session parser
This ASIM parser supports filtering and normalizing Web Session logs from all supported sources to the ASIM DNS activity normalized schema.
ParserName: ASimWebSession
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: url_has_any
Type: dynamic
Default: dynamic([])
- Name: httpuseragent_has_any
Type: dynamic
Default: dynamic([])
- Name: eventresultdetails_in
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: "'*'"
- Name: eventresultdetils_has_any
Type: dyanmic
Default: dynamic([])
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'vimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let vimBuiltInDisabled=toscalar('vimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
url_has_any:dynamic=dynamic([]),
httpuseragent_has_any:dynamic=dynamic([]),
eventresultdetails_in:dynamic=dynamic([])
eventresultdetails_in:dynamic=dynamic([]),
eventresult:string='*')
{
union isfuzzy=true
vimWebSessionEmpty
vimWebSessionEmpty,
vimWebSessionSquidProxy (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionSquidProxy' in (DisabledParsers))),
vimWebSessionZscalerZIA (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionZscalerZIA' in (DisabledParsers)))
};
parser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in)
parser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)
Parsers:
Parsers:
- vimWebSesssionEmpty
- vimWebSessionSquidProxy
- vimWebSessionZscalerZIA

4
Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Empty Web Session Events Table
Title: Web Session ASIM schema function
Version: '0.1'
LastUpdated: Nov 30, 2021
Product:
@ -13,7 +13,7 @@ References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
The purpose of this parser is to generate and guarantee the schema columns
This function returns an empty ASIM Web Session schema
ParserName: vimWebSessionEmpty
ParserQuery: |
let parser=datatable(

112
Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml Normal file
Просмотреть файл

@ -0,0 +1,112 @@
Parser:
Title: Web Session ASIM filtering parser for Squid Proxy
Version: '0.1'
LastUpdated: Dec 6, 2021
Product:
Name: Squid Proxy
Normalization:
Schema: WebSession
Version: '0.1.0'
References:
- Title: ASIM Web Session Schema
Link: https://aka.ms/ASimWebSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Squid Proxy Connector
Link: https://docs.microsoft.com/azure/sentinel/data-connectors-reference#squid-proxy-preview
- Title: Squid native access log format
Link: https://wiki.squid-cache.org/Features/LogFormat
Description: |
This ASIM parser supports filtering and normalizing Squid Proxy logs produced by the Microsoftusu Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
ParserName: vimWebSessionSquidProxy
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: url_has_any
Type: dynamic
Default: dynamic([])
- Name: httpuseragent_has_any
Type: dynamic
Default: dynamic([])
- Name: eventresultdetails_in
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: "'*'"
- Name: eventresultdetils_has_any
Type: dyanmic
Default: dynamic([])
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser = (
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
url_has_any:dynamic=dynamic([]),
httpuseragent_has_any:dynamic=dynamic([]),
eventresultdetails_in:dynamic=dynamic([]),
eventresult:string='*',
disabled:bool=false
){
SquidProxy_CL | where not(disabled)
// -- Pre filtering
| where
(isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))
and ((array_length(httpuseragent_has_any) == 0) or (RawData has_any (httpuseragent_has_any)))
and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))
and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))
// -- Parse
| extend AccessRawLog = extract_all(@"^(\d+\.\d+)\s+(\d+)\s(\S+)\s([A-Z_]+)\/(\d+)\s(\d+)\s([A-Z]+)\s(\S+)\s(\S+)\s([A-Z_]+)\/(\S+)\s(\S+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]
// -- Post filtering
| extend EventResultDetails = toint(AccessRawLog[4])
| where array_length(eventresultdetails_in) == 0 or eventresult in (eventresultdetails_in)
| extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), ";", PeerStatus = tostring(AccessRawLog[9]))
| extend EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, "Failure", "Success")
| where eventresult == "*" or eventresult == EventResultDetails
// -- Map
| extend
EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000),
NetworkDuration = toint(AccessRawLog[1]),
SrcIpAddr = tostring(AccessRawLog[2]),
DstBytes = toint(AccessRawLog[5]),
HttpRequestMethod = tostring(AccessRawLog[6]),
Url = tostring(AccessRawLog[7]),
SrcUsername = tostring(AccessRawLog[8]),
DstIpAddr = tostring(AccessRawLog[10]),
HttpContentType = tostring(AccessRawLog[11])
// -- Constant fields
| extend
EventCount = int(1),
EventProduct = 'Squid Proxy',
EventVendor = 'Apache',
EventSchema = 'WebSession',
EventSchemaVersion = '0.1.0',
EventType = 'HTTPsession'
// -- Value normalization
| extend
UsernameType = "Unknown",
SrcUsername = iff (SrcUsername == "-", "", SrcUsername),
HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType),
EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, "Failure", "Success")
// -- aliases
| extend
EventStartTime = EventEndTime,
Duration = NetworkDuration,
HttpStatusCode = EventResultDetails,
User = SrcUsername,
IpAddr = SrcIpAddr
| project-away AccessRawLog, RawData
};
parser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)

156
Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml Normal file
Просмотреть файл

@ -0,0 +1,156 @@
Parser:
Title: Web Session ASIM filtering parser for Zscaler ZIA
Version: '0.1'
LastUpdated: Dec 7, 2021
Product:
Name: Zscaler ZIA
Normalization:
Schema: WebSession
Version: '0.1.0'
References:
- Title: ASIM Web Session Schema
Link: https://aka.ms/ASimWebSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Zscaler Connector
Link: https://docs.microsoft.com/azure/sentinel/data-connectors-reference#zscaler
- Title: Zscaler Sentinel deployment guide
Link: https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide
Description: |
This ASIM parser supports filtering and normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
ParserName: vimWebSessionZscalerZIA
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: url_has_any
Type: dynamic
Default: dynamic([])
- Name: httpuseragent_has_any
Type: dynamic
Default: dynamic([])
- Name: eventresultdetails_in
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: "'*'"
- Name: eventresultdetils_has_any
Type: dyanmic
Default: dynamic([])
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let remove_protocol_from_list = (list:dynamic)
{
print list
| mv-apply l = print_0 to typeof(string) on
( extend l = replace_regex (tostring(l), "^(?i:.*?)://", "") )
| project l
};
let parser = (
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
url_has_any:dynamic=dynamic([]),
httpuseragent_has_any:dynamic=dynamic([]),
eventresultdetails_in:dynamic=dynamic([]),
eventresult:string='*',
disabled:bool=false
){
CommonSecurityLog | where not(disabled)
| where DeviceVendor == "Zscaler"
| where DeviceProduct == "NSSWeblog"
// -- Pre filtering
| where
(isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))
and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))
and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))
and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))
// -- Parse
| parse AdditionalExtensions with
"reason=" EventResultOriginalDetails:string ";"
"outcome=" EventResultDetails:string ";"
"cat=" * ";"
"rulelabel=" RuleName:string ";"
"ruletype=" ruletype:string ";"
"urlclass=" urlclass:string ";"
"devicemodel=" *
// -- Post filtering
| where
((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))
// -- Event fields
| extend
EventCount=int(1),
EventStartTime=TimeGenerated,
EventVendor = "Zscaler",
EventProduct = "ZIA",
EventSchema = "WebSession",
EventSchemaVersion="0.1.0",
EventType = 'HTTPsession',
EventEndTime=TimeGenerated
// -- Field mapping
| project-rename
DvcAction = DeviceAction,
DvcHostname = Computer,
EventProductVersion = DeviceVersion,
NetworkApplicationProtocol = ApplicationProtocol,
HttpContentType = FileType,
HttpUserAgent = RequestClientApplication,
HttpRequestMethod = RequestMethod,
DstAppName = DestinationServiceName,
DstIpAddr = DestinationIP,
DstFQDN = DestinationHostName,
DstBytes = ReceivedBytes,
SrcIpAddr = SourceIP,
SrcUsername = SourceUserName,
SrcNatIpAddr= SourceTranslatedAddress,
SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema
SrcBytes = SentBytes,
ThreatRiskLevel = DeviceCustomNumber1,
UrlCategory = DeviceCustomString2,
ThreatName = DeviceCustomString5,
FileMD5 = DeviceCustomString6
// -- Calculated fields
| extend
Url = iff (RequestURL == "", "", strcat (tolower(NetworkApplicationProtocol), "://", url_decode(RequestURL))),
UrlCategory = strcat (urlclass, "/", UrlCategory),
ThreatCategory = iff(DeviceCustomString4 == "None", "", strcat (DeviceCustomString3, "/", DeviceCustomString4)),
RuleName = iff (RuleName == "None", "", strcat (ruletype, "/", RuleName)),
FileMD5 = iff (FileMD5 == "None", "", FileMD5),
HttpReferrer = iff (RequestContext == "None", "", url_decode(RequestContext)),
DstAppName = iff (DstAppName == "General Browsing", "", DstAppName),
DstFQDNparts = split (DstFQDN, ".")
| extend
DstHostname = DstFQDNparts[0],
DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),".")
// -- Enrichment
| extend
EventResult = iff (EventResultDetails == "NA" or toint(EventResultDetails) >= 400, "Failure", "Success"),
DstAppType = "SaaS application",
DstFQDN = "FQDN",
SrcUsernameType = "UPN"
// -- Aliases
| extend
Dvc = DvcHostname,
UserAgent = HttpUserAgent,
User = SrcUsername,
HttpStatusCode = EventResultDetails,
IpAddr = SrcNatIpAddr,
Hash = FileMD5,
FileHashType = iff(FileMD5 == "", "", "MD5")
| project-away
DstFQDNparts, AdditionalExtensions, DeviceCustom*
};
parser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)