Adding tags necessary for SF

* added EquivalentBuiltInParser tag
* added Parsers tag to metaparsers
* updated Yaml2Arm support for parameters
* fixed bug in param name in WebSession parsers

Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json

@@ -30,7 +30,7 @@
             "FunctionAlias": "ASimWebSession",
             "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'vimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('vimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n  starttime:datetime=datetime(null), \n  endtime:datetime=datetime(null),\n  srcipaddr_has_any_prefix:dynamic=dynamic([]),\n  url_has_any:dynamic=dynamic([]), \n  httpuseragent_has_any:dynamic=dynamic([]), \n  eventresultdetails_in:dynamic=dynamic([]),\n  eventresult:string='*')\n{\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  vimWebSessionSquidProxy (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionSquidProxy' in (DisabledParsers))),\n  vimWebSessionZscalerZIA (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionZscalerZIA' in (DisabledParsers)))\n};\nparser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)\n",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
           }
         }
       ]

Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json

@@ -30,7 +30,7 @@
             "FunctionAlias": "vimWebSessionSquidProxy",
             "query": "let parser = (\n  starttime:datetime=datetime(null), \n  endtime:datetime=datetime(null),\n  srcipaddr_has_any_prefix:dynamic=dynamic([]), \n  url_has_any:dynamic=dynamic([]),\n  httpuseragent_has_any:dynamic=dynamic([]),\n  eventresultdetails_in:dynamic=dynamic([]),\n  eventresult:string='*',\n  disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n  // -- Pre filtering\n  | where  \n    (isnull(starttime) or TimeGenerated >= starttime) \n    and (isnull(endtime) or TimeGenerated <= endtime) \n    and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n    and ((array_length(httpuseragent_has_any) == 0) or (RawData has_any (httpuseragent_has_any)))\n    and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n    and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n  // -- Parse\n  | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n  // -- Post filtering\n  | extend EventResultDetails = toint(AccessRawLog[4])\n  | where array_length(eventresultdetails_in) == 0 or eventresult in (eventresultdetails_in)\n  | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n  | extend EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  | where eventresult == \"*\" or eventresult == EventResultDetails\n  // -- Map\n  | extend\n    EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n    NetworkDuration = toint(AccessRawLog[1]), \n    SrcIpAddr = tostring(AccessRawLog[2]), \n    DstBytes = toint(AccessRawLog[5]), \n    HttpRequestMethod = tostring(AccessRawLog[6]), \n    Url = tostring(AccessRawLog[7]), \n    SrcUsername = tostring(AccessRawLog[8]), \n    DstIpAddr = tostring(AccessRawLog[10]), \n    HttpContentType = tostring(AccessRawLog[11]) \n  // -- Constant fields\n  | extend \n    EventCount = int(1), \n    EventProduct = 'Squid Proxy', \n    EventVendor = 'Apache', \n    EventSchema = 'WebSession', \n    EventSchemaVersion = '0.1.0', \n    EventType = 'HTTPsession' \n  // -- Value normalization\n  | extend\n    UsernameType = \"Unknown\",\n    SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n    HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n    EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  // -- aliases\n  | extend \n    EventStartTime = EventEndTime,\n    Duration = NetworkDuration,\n    HttpStatusCode = EventResultDetails,\n    User = SrcUsername,\n    IpAddr = SrcIpAddr\n  | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
           }
         }
       ]

Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json

@@ -30,7 +30,7 @@
             "FunctionAlias": "vimWebSessionZscalerZIA",
             "query": "let remove_protocol_from_list = (list:dynamic) \n{\n    print list \n    | mv-apply l = print_0 to typeof(string) on\n    ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n    | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n  // -- Pre filtering\n| where  \n  (isnull(starttime) or TimeGenerated >= starttime) \n  and (isnull(endtime) or TimeGenerated <= endtime) \n  and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n  and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n  and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n  and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n    \"reason=\" EventResultOriginalDetails:string \";\"\n    \"outcome=\" EventResultDetails:string \";\"\n    \"cat=\" * \";\"\n    \"rulelabel=\" RuleName:string \";\"\n    \"ruletype=\" ruletype:string \";\"\n    \"urlclass=\" urlclass:string \";\"\n    \"devicemodel=\" * \n// -- Post filtering\n| where\n  ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n// -- Event fields\n| extend \n  EventCount=int(1), \n  EventStartTime=TimeGenerated,  \n  EventVendor = \"Zscaler\", \n  EventProduct = \"ZIA\", \n  EventSchema = \"WebSession\", \n  EventSchemaVersion=\"0.1.0\", \n  EventType = 'HTTPsession',\n  EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n  DvcAction = DeviceAction,\n  DvcHostname = Computer,\n  EventProductVersion = DeviceVersion,\n  NetworkApplicationProtocol = ApplicationProtocol,\n  HttpContentType = FileType,\n  HttpUserAgent = RequestClientApplication,\n  HttpRequestMethod = RequestMethod,\n  DstAppName = DestinationServiceName,\n  DstIpAddr = DestinationIP,\n  DstFQDN = DestinationHostName,\n  DstBytes = ReceivedBytes,\n  SrcIpAddr = SourceIP,\n  SrcUsername = SourceUserName,\n  SrcNatIpAddr= SourceTranslatedAddress,\n  SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n  SrcBytes = SentBytes,\n  ThreatRiskLevel = DeviceCustomNumber1,\n  UrlCategory = DeviceCustomString2,\n  ThreatName = DeviceCustomString5,\n  FileMD5 = DeviceCustomString6\n// -- Calculated fields\n| extend\n  Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n  UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n  ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n  RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n  FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n  HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n  DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n  DstFQDNparts = split (DstFQDN, \".\")\n| extend\n  DstHostname = DstFQDNparts[0],\n  DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\")\n// -- Enrichment\n| extend\n  EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n  DstAppType = \"SaaS application\",\n  DstFQDN = \"FQDN\",\n  SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n  Dvc = DvcHostname,\n  UserAgent = HttpUserAgent,\n  User = SrcUsername,\n  HttpStatusCode = EventResultDetails,\n  IpAddr = SrcNatIpAddr,\n  Hash = FileMD5,\n  FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n  DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
           }
         }
       ]

Parsers/ASimWebSession/Parsers/imWebSession.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser
-  Version: '0.1'
+  Version: '0.2'
   LastUpdated: Nov 30, 2021
 Product:
   Name: Source agnostic
@@ -38,8 +38,8 @@ ParserParams:
   - Name: eventresult
     Type: string
     Default: '*'
-  - Name: eventresultdetils_has_any
-    Type: dyanmic
+  - Name: eventresultdetails_has_any
+    Type: dynamic
     Default: dynamic([])
   - Name: disabled
     Type: bool

Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser for Squid Proxy
-  Version: '0.1'
+  Version: '0.2'
   LastUpdated: Dec 6, 2021
 Product:
   Name: Squid Proxy
@@ -42,8 +42,8 @@ ParserParams:
   - Name: eventresult
     Type: string
     Default: '*'
-  - Name: eventresultdetils_has_any
-    Type: dyanmic
+  - Name: eventresultdetails_has_any
+    Type: dynamic
     Default: dynamic([])
   - Name: disabled
     Type: bool

Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser for Zscaler ZIA
-  Version: '0.1'
+  Version: '0.2'
   LastUpdated: Dec 7, 2021
 Product:
   Name: Zscaler ZIA
@@ -43,8 +43,8 @@ ParserParams:
   - Name: eventresult
     Type: string
     Default: '*'
-  - Name: eventresultdetils_has_any
-    Type: dyanmic
+  - Name: eventresultdetails_has_any
+    Type: dynamic
     Default: dynamic([])
   - Name: disabled
     Type: bool