Updated parsers and schema

2020-09-10 18:42:02 +03:00 · 2020-09-10 18:42:02 +03:00 · 45841fb56b
--- a/schema/EmptyNetworkSchema.kql
+++ b/schema/EmptyNetworkSchema.kql
@ -7,46 +7,50 @@
 // Note: this parser creates an empty tabular view of all fields of the network sessions schema
 // Parser Version: 1.0.0
 // Schema version: 1.0.0
-// Alias name: Empty_Network_NormalizedParser
+// Alias name: Empty-Network-NormalizedParser (please change hypen to underscore when using the alias)
 let NetworkEmptySchemaParser = datatable(
- OperationName:string ,
+ EventType: string,
+ EventSubType: string,
 EventCount:int ,
- EventEndtime:datetime ,
+ EventEndTime:datetime ,
 EventMessage:string ,
- EventHostIpAddr:string ,
- EventMacAddr:string ,
- EventHostName:string ,
+ DvcHostIpAddr:string ,
+ DvcMacAddr:string ,
+ DvcHostname:string ,
 EventProduct:string ,
- EventProductVer:string ,
+ EventProductVersion:string ,
 EventResourceId:string ,
 EventReportUrl: string,
 EventVendor:string ,
- ResultReasonType:string ,
- ResultType:string ,
- SchemaVer:real ,
+ EventResult:string ,
+ EventResultDetails:string ,
+ EventSchemaVersion:real ,
 EventSeverity:string ,
- EventUid:string ,
+ EventOriginalUid:string ,
 EventStartTime:datetime ,
 TimeGenerated:datetime ,
 EventTimeIngested :datetime ,
- EventRecordUid:string,
+ EventUid:string,
 NetworkApplicationProtocol:string ,
 DstBytes:long ,
 SrcBytes:long ,
 NetworkBytes:long ,
 NetworkDirection:string ,
- DstGeolocationCity:string ,
- DstGeolocationCountry:string ,
- DstHostName:string ,
- DstHostFqdn:string,
- DstDomain:string,
+ DstGeoCity:string ,
+ DstGeoCountry:string ,
+ DstDvcName:string ,
+ DstDvcFqdn:string,
+ DstDomainHostname:string,
 DstInterfaceName:string ,
 DstInterfaceGuid:string ,
 DstIpAddr:string ,
- DstGeolocationLatitude:double ,
+ DstDvcIpAddr: string,
+ DstGeoLatitude:double ,
 DstMacAddr:string ,
+ DstDvcMacAddr: string,
+ DstDvcDomain: string,
 DstPortNumber:int ,
- DstGeolocationRegion:string ,
+ DstGeoRegion:string ,
 DstResourceId:string ,
 DstNatIpAddr:string ,
 DstNatPortNumber:int  ,
@ -56,37 +60,40 @@ let NetworkEmptySchemaParser = datatable(
 DstUserUpn:string ,
 DstUserDomain:string ,
 DstZone:string ,
- DstGeolocationLongitude:double ,
+ DstGeoLongitude:double ,
 DvcAction:string ,
 DvcInboundInterface:string ,
 DvcOutboundInterface:string ,
 NetworkDuration:string ,
- IcmpCode:string ,
- IcmpType:string ,
+ NetworkIcmpCode:string ,
+ NetworkIcmpType:string ,
 DstPackets:int ,
 SrcPackets:int ,
 NetworkPackets:string ,
 HttpRequestTime:string ,
 HttpReponseTime:string ,
- RuleName:string ,
- RuleNumber:string ,
+ NetworkRuleName:string ,
+ NetworkRuleNumber:string ,
 NetworkSessionId:string ,
- SrcGeolocationCity:string ,
- SrcGeolocationCountry:string ,
- SrcHostName:string,
- SrcHostFqdn:string,
- SrcDomain:string,
- SrcHostOs: string,
- SrcHostModel: string,
- SrcHostType: string,
+ SrcGeoCity:string ,
+ SrcGeoCountry:string ,
+ SrcDvcHostname:string,
+ SrcDvcFqdn:string,
+ SrcDvcDomain:string,
+ SrcDvcOs: string,
+ SrcDvcModelName: string,
+ SrcDvcModelNumber: string,
+ SrcDvcType: string,
 SrcInterfaceName:string ,
 SrcInterfaceGuid:string ,
 SrcIpAddr:string ,
- SrcGeolocationLatitude:double ,
- SrcGeolocationLongitude:double ,
+ SrcDvcIpAddr: string,
+ SrcGeoLatitude:double ,
+ SrcGeoLongitude:double ,
 SrcMacAddr:string ,
+ SrcDvcMacAddr: string,
 SrcPortNumber:int ,
- SrcGeolocationRegion:string ,
+ SrcGeoRegion:string ,
 SrcResourceId:string ,
 SrcNatIpAddr:string ,
 SrcNatPortNumber:int ,
@ -106,20 +113,20 @@ let NetworkEmptySchemaParser = datatable(
 FileHashMd5: string,
 FileHashSha1: string,
 FileHashSha256: string,
- FileHashSha256AC: string,
+ FileHashSha512: string,
 FileExtension: string,
 FileMimeType: string,
 FileSize: int,
- HttpRequestVer: string,
- HttpResponseVer: string,
+ HttpVersion: string,
 HttpRequestMethod: string,
 HttpStatusCode: string,
 HttpContentType: string,
 HttpReferrerOriginal: string,
- UserAgentOriginal: string,
- HttpXff: string,
+ HttpUserAgentOriginal: string,
+ HttpRequestXff: string,
 UrlCategory: string,
 UrlOriginal: string,
+ UrlHostname: string, 
 ThreatCategory: string,
 ThreatId: string,
 ThreatName: string,
--- a/(v1.0.0)/MetaParser/NetworkMetaParser.kql
+++ b/(v1.0.0)/MetaParser/NetworkMetaParser.kql
@ -5,9 +5,9 @@
 // Reference: Sentinel normalization documentation: https://aka.ms/sentinelnormalizationdocs
 //
 // Schema version: 1.0.0
-// Alias name: Network_MetaParser
+// Alias name: Network-MetaParser (please change hypens(-) to underscores(_) when using the alias)
 union isfuzzy=true
-	Empty_Network_NormalizedParser,
+	Empty_Network_NormalizedParser
    , PAN_9_Network_NormalizedParser
    , CheckPoint_Network_NormalizedParser
    , ZScaler_Network_NormalizedParser
--- a/parsers/CheckPoint.kql
+++ b/parsers/CheckPoint.kql
@ -7,7 +7,7 @@
 // Note: This parser only populates and shows relevant fields within the networking schema. Please use the meta parser to see all relevant fields, or union this parser with the empty network schema. 
 // Parser Version: 1.0.0
 // Schema version: 1.0.0
-// Alias name: CheckPoint_Network_NormalizedParser
+// Alias name: CheckPoint-Network-NormalizedParser (please change hypens(-) to underscores(_) when creating the alias)
 let NetworkParserCheckPoint=(){
 CommonSecurityLog
 | where DeviceVendor=="Check Point" and DeviceProduct=="VPN-1 & FireWall-1"
@ -23,29 +23,29 @@ CommonSecurityLog
    , DstNatPortNumber=DestinationTranslatedPort
    , DstBytes=ReceivedBytes
    , SrcBytes=SentBytes
-    , EventMacAddr=DeviceMacAddress
-    , DstHostName=DestinationHostName
+    , DvcMacAddr=DeviceMacAddress
+    , DstDvcHostname=DestinationHostName
    , DstMacAddr=DestinationMACAddress
 	, SrcMacAddr=SourceMACAddress
 	, DvcAction=DeviceAction
 | extend
-    SchemaVer="1.0.0"
+    EventSchemaVersion="1.0.0"
 	, EventCount=tolong(1)
-	, EventRecordUid=_ItemId
-    , EventUid=extract(@'loguid=(\{[^\}]+\})',1,AdditionalExtensions, typeof(string))
+	, EventUid=_ItemId
+    , EventOriginalUid=extract(@'loguid=(\{[^\}]+\})',1,AdditionalExtensions, typeof(string))
    , EventTimeIngested =ingestion_time()
-    , EventHostName=extract(@'originsicname=cn\\\\=([^,]+),',1,AdditionalExtensions, typeof(string))
-    , OperationName="Traffic"
-    , ResultType=case(isempty(DvcAction),"", DvcAction=="Accept","Success","Failure") 
+    , DvcHostname=extract(@'originsicname=cn\\\\=([^,]+),',1,AdditionalExtensions, typeof(string))
+    , EventType="Traffic"
+    , EventResult=case(isempty(DvcAction),"", DvcAction=="Accept","Success","Failure") 
    , SrcZone=extract(@'inzone=([^;]+);',1,AdditionalExtensions, typeof(string))
    , DstZone=extract(@'outzone=([^;]+);',1,AdditionalExtensions, typeof(string))
-    , RuleName=iff (DvcAction=="Accept" ,"", coalesce( DeviceCustomString2 , extract(@'(action_reason=|tcp_packet_out_of_state=)([^;]+)',2,AdditionalExtensions, typeof(string)), Activity))
+    , NetworkRuleName=iff (DvcAction=="Accept" ,"", coalesce( DeviceCustomString2 , extract(@'(action_reason=|tcp_packet_out_of_state=)([^;]+)',2,AdditionalExtensions, typeof(string)), Activity))
    , NetworkApplicationProtocol=iff (DvcAction !="Accept", Activity,"")
-    , ["RuleNumber"]=extract(@"rule_uid=([0-9a-f\x2d]+)",1, AdditionalExtensions)
+    , ["NetworkRuleNumber"]=extract(@"rule_uid=([0-9a-f\x2d]+)",1, AdditionalExtensions)
 // Trivial rename for mitigating autocomplete
 | project-rename
    NetworkDirection=CommunicationDirection
-    , EventEndtime=EndTime
+    , EventEndTime=EndTime
 	, EventStartTime= StartTime
 	, EventMessage=Message
 	, TimeGenerated=TimeGenerated
--- a/parsers/PaloAlto9.kql
+++ b/parsers/PaloAlto9.kql
@ -7,7 +7,7 @@
 // Note: This parser only populates and shows relevant fields within the networking schema. Please use the meta parser to see all relevant fields, or union this parser with the empty network schema. 
 // Parser Version: 1.0.0
 // Schema version: 1.0.0
-// Alias name: PAN_9_Network_NormalizedParser
+// Alias name: PAN-9-Network-NormalizedParser (please change hypens(-) to underscores(_) when creating the alias)
 let IP_TYPE=(ip:string){case(ip has ".", "IPv4", ip contains ":", "IPv6", "unknown")};
 let NetworkParserPaloAltoNetworks=(){
 CommonSecurityLog
@ -16,18 +16,18 @@ CommonSecurityLog
 | project-rename 
      EventVendor=DeviceVendor
    , EventProduct=DeviceProduct
-    , EventHostName=DeviceName
+    , DvcHostname=DeviceName
    , EventResourceId=_ResourceId 
    , NetworkApplicationProtocol=ApplicationProtocol
    , SrcZone=DeviceCustomString4 
    , DstZone=DeviceCustomString5
-    , RuleName=DeviceCustomString1
+    , NetworkRuleName=DeviceCustomString1
    , NetworkProtocol=Protocol
    , SrcBytes=SentBytes
    , DstBytes=ReceivedBytes 
    , SrcUserUpn=SourceUserID
    , DstUserUpn=DestinationUserID 
-    , EventProductVer=DeviceVersion
+    , EventProductVersion=DeviceVersion
    , EventSeverity=LogSeverity
    , NetworkPackets=DeviceCustomNumber2
    , SrcNatIpAddr=SourceTranslatedAddress
@ -38,31 +38,30 @@ CommonSecurityLog
    , VirtualSystem=DeviceCustomString3
 	// Proxy
 	, UrlOriginal=RequestURL
-	, UserAgentOriginal=RequestClientApplication
+	, HttpUserAgentOriginal=RequestClientApplication
 	, HttpContentType=RequestContext
 	, HttpRequestMethod=RequestMethod
 | extend
    NetworkBytes=tolong(FlexNumber1)
-    , EventUid=_ItemId
+    , EventOriginalUid=_ItemId
    , TimeGenerated  
    , EventTimeIngested =ingestion_time()
-    , ActivityType="Traffic"
+    , EventType="Traffic"
    , EventCount=tolong(1)
-    , ResultType=case(DeviceAction=="allow","Success","Failure")
-    , ResultReasonType="RuleBased"
+    , EventResult=case(DeviceAction=="allow","Success","Failure")
    , NetworkSessionId=tostring(DeviceCustomNumber1)
    , NetworkDuration=DeviceCustomNumber3
-    , SchemaVer="1.0.0"
+    , EventSchemaVersion="1.0.0"
 ////////////////////////////////////////////////////////
 // Mitigating LA Autocomplete
 | project-rename
-      EventMacAddr=DeviceMacAddress 
-    , DstHostName=DestinationHostName
+      DvcMacAddr=DeviceMacAddress 
+    , DstDvcHostname=DestinationHostName
    , DstMacAddr=DestinationMACAddress
 	, SrcMacAddr=SourceMACAddress
 	// Trivial renames to mitigate Autocomplete
    , NetworkDirection=CommunicationDirection
-    , EventEndtime=EndTime
+    , EventEndTime=EndTime
 	, EventStartTime=EventStartTime
 	, EventMessage=Message
 	, TimeGenerated=TimeGenerated
@ -72,7 +71,7 @@ CommonSecurityLog
 	, SrcPortNumber=SourcePort
    , SrcIpAddr=SourceIP
    , DvcAction=DeviceAction
-	, DstUserName=DestinationUserName //**//
+	, DstUserName=DestinationUserName
 	, SrcNatPortNumber=SourceTranslatedPort
 	, DvcOutboundInterface=DeviceOutboundInterface
 	, DvcInboundInterface=DeviceInboundInterface
@ -94,7 +93,7 @@ CommonSecurityLog
                                          ";PanOSThreatCategory="ThreatCategory
                                          ";PanOSContentVer="ContentVer
 // for EventClassIds=="url" it parses theses additional fields  
-| parse temp with "PanOSXForwarderfor="HttpXff";PanOSReferer="HttpReferrerOriginal	";" *
+| parse temp with "PanOSXForwarderfor="HttpRequestXff";PanOSReferer="HttpReferrerOriginal	";" *
 | extend UrlOriginal=coalesce(UrlOriginal, unparsedURL)
 | project-away temp, temp2, temp3, unparsedURL
 };
--- a/parsers/WindowsFirewall.kql
+++ b/parsers/WindowsFirewall.kql
@ -7,22 +7,22 @@
 // Note: This parser only populates and shows relevant fields within the networking schema. Please use the meta parser to see all relevant fields, or union this parser with the empty network schema. 
 // Parser Version: 1.0.0
 // Schema version: 1.0.0
-// Alias name: WindowsFW_Network_NormalizedParser
+// Alias name: WindowsFW-Network-NormalizedParser (please change hypens(-) to underscores(_) when using the alias)
 let NetworkParserWindowsFirewall=(){ WindowsFirewall
-| extend ActivityType = "Traffic"
-  , SchemaVer="1.0.0"
+| extend EventType = "Traffic"
+  , EventSchemaVersion="1.0.0"
  , EventCount=tolong(1) 
  , EventVendor = "Microsoft"
  , EventProduct = "WindowsFirewall"
-  , ResultType="Success"
+  , EventResult="Success"
  , EventTimeIngested = ingestion_time()
  , EventSeverity=tostring(Severity)
 | project-rename 
 	 DvcAction=FirewallAction,
-   EventHostName = Computer, 
+   DvcDvcHostname = Computer, 
 	 EventResourceId = _ResourceId,
 	 NetworkProtocol = Protocol, 
-   EventUid = _ItemId, 
+   EventOriginalUid = _ItemId, 
   EventMessage = Description, 
 	 SrcIpAddr=SourceIP,
   DstIpAddr=DestinationIP,
--- a/parsers/Wiredata.kql
+++ b/parsers/Wiredata.kql
@ -7,13 +7,16 @@
 // Note: This parser only populates and shows relevant fields within the networking schema. Please use the meta parser to see all relevant fields, or union this parser with the empty network schema. 
 // Parser Version: 1.0.0
 // Schema version: 1.0.0
-// Alias name: WireData_Network_NormalizedParser
+// Alias name: WireData-Network-NormalizedParser (please change hypens(-) to underscores(_) when using the alias)
 let ParserWireData=(){ WireData
-| extend ActivityType = "Traffic"
-  , SchemaVer="1.0.0"
+| extend EventType = "Traffic"
+  , EventSchemaVersion="1.0.0"
  , EventCount=tolong(1) 
-  , EventVendor = "Microsoft", EventProduct = "WireData"
-  , ResultType = "Success", EventTimeIngested = ingestion_time() , EventUid = _ItemId
+  , EventVendor = "Microsoft"
+  , EventProduct = "WireData"
+  , EventResult = "Success"
+  , EventTimeIngested = ingestion_time()
+  , EventOriginalUid = _ItemId
  , DstIpAddr =  iff(Direction == "Outbound", RemoteIP, LocalIP )
  , DstPortNumber =  iff(Direction == "Outbound", LocalPortNumber, RemotePortNumber)
  , SrcIpAddr = iff(Direction == "Outbound", LocalIP, RemoteIP  )
@ -23,8 +26,8 @@ let ParserWireData=(){ WireData
  , NetworkSessionId = tostring(SessionID)
  , EventSeverity = ""
 | project-rename 
-	 EventHostName = Computer, 
-	 EventEndtime = SessionEndTime, 
+	 DvcHostname = Computer, 
+	 EventEndTime = SessionEndTime, 
 	 EventStartTime = SessionStartTime, 
 	 EventResourceId = _ResourceId,
 	 NetworkApplicationProtocol =  ApplicationProtocol,
--- a/parsers/Zscaler.kql
+++ b/parsers/Zscaler.kql
@ -7,18 +7,18 @@
 // Note: This parser only populates and shows relevant fields within the networking schema. Please use the meta parser to see all relevant fields, or union this parser with the empty network schema. 
 // Parser Version: 1.0.0
 // Schema version: 1.0.0
-// Alias name: ZScaler_Network_NormalizedParser
+// Alias name: ZScaler-Network-NormalizedParser (please change hypens(-) to underscores(_) when using the alias)
 let NetworkParserZscaler=(){
    CommonSecurityLog
    | where DeviceVendor == "Zscaler" and DeviceProduct == "NSSFWlog"
    | project-rename 
-         EventUid = _ItemId 
+         EventOriginalUid = _ItemId 
        , EventVendor=DeviceVendor
        , EventProduct=DeviceProduct
        , EventResourceId=_ResourceId 
        //, TenantId=TenantId
 		//, DestinationUserId=DestinationUserID 
-        , RuleName=Activity 
+        , NetworkRuleName=Activity 
        , NetworkProtocol=Protocol
        , NetworkApplicationProtocol=DeviceCustomString2
        , SrcBytes=SentBytes
@ -28,21 +28,21 @@ let NetworkParserZscaler=(){
        , EventSeverity=LogSeverity 
        , SrcNatIpAddr=SourceTranslatedAddress
        , DstNatIpAddr=DestinationTranslatedAddress
-        , DstHostName=DestinationHostName
-		, EventMacAddress=DeviceMacAddress
+        , DstDvcHostname=DestinationHostName
+		, DvcMacAddress=DeviceMacAddress
 		, DstMacAddr=DestinationMACAddress 
 		, SrcMacAddr=SourceMACAddress
    | extend
        EventTimeIngested =ingestion_time()
        , EventCount=tolong(EventCount)
-        , ActivityType="Traffic"
-        , ResultType=case(DeviceAction has "Allow","Success","Failure") 
-        , SchemaVer="1.0.0"
+        , EventType="Traffic"
+        , EventResult=case(DeviceAction has "Allow","Success","Failure") 
+        , EventSchemaVersion="1.0.0"
 //  Auto complete bug mitigation
 //  Trivial renames to mitigate Autocomplete
 | project-rename
     NetworkDirection=CommunicationDirection
-    , EventEndtime=EndTime
+    , EventEndTime=EndTime
 	, EventStartTime= StartTime
 	, EventMessage=Message
 	, TimeGenerated=TimeGenerated