Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Dhcp Parsers

This commit is contained in:
vakohl 2024-03-12 11:21:44 +05:30
Родитель d90e7a0a77
Коммит 31acedaae4
4 изменённых файлов: 250 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

37
Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml Normal file
Просмотреть файл

@ -0,0 +1,37 @@
Parser:
Title: Dhcp event ASIM parser
Version: '0.1.0'
LastUpdated: Mar 11, 2024
Product:
Name: Source agnostic
Normalization:
Schema: Dhcp
Version: '0.1'
References:
- Title: ASIM Dhcp Event Schema
Link: https://aka.ms/ASimDhcpEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing Dhcp event logs from all supported sources to the ASIM Dhcp Event normalized schema.
ParserName: ASimDhcpEvent
EquivalentBuiltInParser: _ASim_DhcpEvent
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludeASimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(pack:bool=false){
union isfuzzy=true
vimDhcpEventEmpty,
ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers))))
};
parser (pack=pack)
ParserParams:
- Name: pack
Type: bool
Default: false
Parsers:
- _Im_DhcpEvent_Empty
- _ASim_DhcpEvent_Native

65
Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml Normal file
Просмотреть файл

@ -0,0 +1,65 @@
Parser:
Title: Dhcp event ASIM filtering parser
Version: '0.1.0'
LastUpdated: Mar 11 2024
Product:
Name: Source agnostic
Normalization:
Schema: Dhcp
Version: '0.1'
References:
- Title: ASIM Dhcp Event Schema
Link: https://aka.ms/ASimDhcpEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports filtering and normalizing Dhcp event logs from all supported sources to the ASIM Dhcp Event normalized schema.
ParserName: imDhcpEvent
EquivalentBuiltInParser: _Im_DhcpEvent
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: srchostname_has_any
Type: dynamic
Default: dynamic([])
- Name: srcusername_has_any
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: disabled
Type: bool
Default: false
- Name: pack
Type: bool
Default: false
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let vimBuiltInDisabled=toscalar('ExcludevimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
ipaddr_has_any_prefix:dynamic=dynamic([]),
url_has_any:dynamic=dynamic([]),
httpuseragent_has_any:dynamic=dynamic([]),
eventresultdetails_in:dynamic=dynamic([]),
eventresult:string='*',
pack:bool=false)
{
union isfuzzy=true
vimDhcpEventEmpty,
vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers))))
};
parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack)
Parsers:
- _Im_DhcpEvent_Empty
- _Im_DhcpEvent_Native

131
Parsers/ASimDhcpEvent/Parsers/vimDhcpEventEmpty.yaml Normal file
Просмотреть файл

@ -0,0 +1,131 @@
Parser:
Title: Dhcp event ASIM schema function
Version: '0.1.0'
LastUpdated: Mar 11 2024
Product:
Name: Microsoft
Normalization:
Schema: Dhcp
Version: '0.1'
References:
- Title: ASIM Dhcp Event Schema
Link: https://aka.ms/ASimDhcpEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This function returns an empty ASIM Dhcp Event schema.
ParserName: vimDhcpEventEmpty
EquivalentBuiltInParser: _Im_DhcpEvent_Empty
ParserQuery: |
let EmptyDhcpEvents =datatable (
TimeGenerated:datetime
, _ResourceId:string
, Type:string
// ****** Event fields ******
, EventType:string
, EventProduct:string
, EventProductVersion:string
, EventCount:int
, EventMessage:string
, EventVendor:string
, EventSchema:string
, EventSchemaVersion:string
, EventSeverity:string
, EventSubType:string
, EventOriginalUid:string
, EventOriginalType:string
, EventOriginalResultDetails:string
, EventOriginalSeverity:string
, EventOriginalSubType:string
, EventStartTime:datetime
, EventEndTime:datetime
, EventReportUrl:string
, EventResult: string
, EventResultDetails: string
, AdditionalFields:dynamic
, EventOwner:string
// ****** Device fields ******
, DvcId:string
, DvcHostname:string
, DvcDomain:string
, DvcDomainType:string
, DvcFQDN:string
, DvcIpAddr:string
, DvcOs:string
, DvcOsVersion:string
, DvcMacAddr:string
, DvcAction:string
, DvcOriginalAction:string
, DvcDescription: string
, DvcIdType: string
, DvcInterface: string
, DvcZone: string
, DvcScopeId:string
, DvcScope:string
// ****** Source User fields ******
, SrcUserId:string
, SrcUserUid:string
, SrcUserIdType:string
, SrcUserScopeId:string
, SrcUserScope:string
, SrcUsername:string
, SrcUsernameType:string
, SrcUserType:string
, SrcOriginalUserType:string
, SrcUserSessionId:string
// ****** Source System fields ******
, SrcIpAddr: string
, SrcPortNumber:int
, SrcHostname:string
, SrcMacAddr:string
, SrcDomain:string
, SrcFQDN:string
, SrcDescription:string
, SrcDvcId:string
, SrcDvcIdType:string
, SrcDvcScopeId:string
, SrcDvcScope:string
, SrcDeviceType:string
, SrcGeoCountry:string
, SrcGeoLatitude:real
, SrcGeoLongitude:real
, SrcGeoRegion:string
, SrcGeoCity:string
, SrcRiskLevel:int
, SrcOriginalRiskLevel:string
// ****** Dhcp Event Fields ******
, RequestedIpAddr:string //Optional
, DhcpLeaseDuration:int
, DhcpSessionId:string
, DhcpSessionDuration:int
, DhcpSrcDHCId:string
, DhcpCircuitId:string
, DhcpSubscriberId:string
, DhcpVendorClassId:string
, DhcpVendorClass:string
, DhcpUserClassId:string
, DhcpUserClass:string
// ****** aliases ******
, SessionId:string
, Duration:int
, Src: string
, Dst: string
, User: string
, IpAddr:string
, Hostname:string
//****** Inspection fields ******
, RuleName:string
, RuleNumber:int
, ThreatId:string
, ThreatName:string
, ThreatCategory:string
, ThreatRiskLevel:int
, ThreatOriginalRiskLevel:string
, ThreatConfidence:int
, ThreatOriginalConfidence:string
, ThreatIsActive:bool
, ThreatFirstReportedTime:datetime
, ThreatLastReportedTime:datetime
, ThreatField:string
)[];
EmptyDhcpEvents

17
Parsers/ASimDhcpEvent/README.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
# Advanced Security Information Model (ASIM) Dhcp parsers
This template deploys all ASIM Dhcp parsers.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Dhcp event normalization schema reference](https://aka.ms/ASimDhcpEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimDhcpEventARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimDhcpEventARMgov)
<br>