futher changes

2024-03-12 14:50:18 +05:30 · 2024-03-12 14:50:18 +05:30 · 472815e90d
--- a/templates/ASimDhcpEventTemplate.yaml
+++ b/templates/ASimDhcpEventTemplate.yaml
@ -1,21 +1,21 @@
 Parser:
-  Title: Dhcp ASIM parser for <product name>
-  Version: '<parser version>'
+  Title: Dhcp Event ASIM parser for <product name>
+  Version: '0.1.0'
  LastUpdated: <MMM DD, YYYY>
 Product:
  Name: <product name>
 Normalization:
-  Schema: Dhcp
+  Schema: DhcpEvent
  Version: '<current schema version>'
 References:
- Title: ASIM Dhcp Schema
-  Link: https://aka.ms/ASimDhcpDoc
+- Title: ASIM Dhcp Event Schema
+  Link: https://aka.ms/ASimDhcpEventDoc
 - Title: ASIM
  Link: https:/aka.ms/AboutASIM
 Description: |
  This ASIM parser supports normalizing <product name> logs to the ASIM Dhcp normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_Dhcp_Product>
+ParserName: <ASimDhcpEventProduct>
+EquivalentBuiltInParser: <_ASim_DhcpEvent_Product>
 ParserParams:
  - Name: disabled
    Type: bool
--- a/templates/vimDhcpEventTemplate.yaml
+++ b/templates/vimDhcpEventTemplate.yaml
@ -0,0 +1,62 @@
+Parser:
+  Title: Dhcp Event ASIM filtering parser for <product name>
+  Version: '0.1.0'
+  LastUpdated: <MMM DD, YYYY>
+Product:
+  Name: <product name>
+Normalization:
+  Schema: DhcpEvent
+  Version: '<current schema version>'
+References:
+- Title: ASIM Dhcp Event Schema
+  Link: https://aka.ms/ASimDhcpEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM authentication normalized schema.
+ParserName: <vimDhcpEventProduct>
+EquivalentBuiltInParser: <_Im_DhcpEvent_Product>
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: srchostname_has_any
+    Type: dynamic 
+    Default: dynamic([])
+  - Name: srcusername_has_any
+    Type: dynamic 
+    Default: dynamic([])
+  - Name: eventresult
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    starttime:datetime=datetime(null), 
+    endtime:datetime=datetime(null),
+    srcipaddr_has_any_prefix:dynamic=dynamic([]),
+    srchostname_has_any:dynamic=dynamic([]),
+    srcusername_has_any:dynamic=dynamic([]),
+    eventresult:string='*',
+    disabled:bool=false)
+  )
+  {
+    <parser query body>
+  };
+  parser (
+      starttime                = starttime,
+      endtime                  = endtime,
+      srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
+      srchostname_has_any      = srchostname_has_any,
+      srcusername_has_any      = srcusername_has_any,
+      eventresult              = eventresult,
+      disabled                 = disabled
+  )
--- a/templates/vimDhcpTemplate.yaml
+++ b/templates/vimDhcpTemplate.yaml
@ -1,42 +0,0 @@
-Parser:
-  Title: Dhcp ASIM filtering parser for <product name>
-  Version: '<parser version>'
-  LastUpdated: <MMM DD, YYYY>
-Product:
-  Name: <product name>
-Normalization:
-  Schema: Dhcp
-  Version: '<current schema version>'
-References:
- Title: ASIM Dhcp Schema
-  Link: https://aka.ms/ASimDhcpDoc
- Title: ASIM
-  Link: https:/aka.ms/AboutASIM
-Description: |
-  This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM authentication normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_Dhcp_Product>
-ParserParams:
-  - Name: starttime
-    Type: datetime
-    Default: datetime(null)
-  - Name: endtime
-    Type: datetime
-    Default: datetime(null)
-  - Name: disabled
-    Type: bool
-    Default: false
-ParserQuery: |
-  let parser = (
-    starttime:datetime = datetime(null)
-    , endtime:datetime = datetime(null)
-    , disabled:bool    = false
-  )
-  {
-    <parser query body>
-  };
-  parser (
-    starttime  = starttime
-    , endtime  = endtime
-    , disabled = disabled
-  )
--- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml
+++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml
@ -5,14 +5,13 @@ Parser:
 Product:
  Name: Source agnostic
 Normalization:
-  Schema: Dhcp
+  Schema: DhcpEvent
  Version: '0.1'
 References:
 - Title: ASIM Dhcp Event Schema
  Link: https://aka.ms/ASimDhcpEventDoc
 - Title: ASIM
  Link: https://aka.ms/AboutASIM
-
 Description: |
  This ASIM parser supports normalizing Dhcp event logs from all supported sources to the ASIM Dhcp Event normalized schema.
 ParserName: ASimDhcpEvent
@ -26,12 +25,10 @@ ParserQuery: |
    ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers))))
  }; 
  parser (pack=pack)
-
 ParserParams:
  - Name: pack
    Type: bool
    Default: false
-
 Parsers:
  - _Im_DhcpEvent_Empty
  - _ASim_DhcpEvent_Native
--- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventNative.yaml
+++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventNative.yaml
@ -0,0 +1,48 @@
+Parser:
+  Title: Dhcp Event ASIM parser for Microsoft Sentinel native Dhcp Event table
+  Version: '0.1.0'
+  LastUpdated: Mar 12 2024
+Product:
+  Name: Native
+Normalization:
+  Schema: DhcpEvent
+  Version: '0.1'
+References:
+- Title: ASIM Dhcp Event Schema
+  Link: https://aka.ms/ASimDhcpEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the native Dhcp Event table (ASimDhcpEventLogs) to the ASIM Dhcp Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
+ParserName: ASimDhcpEventNative
+EquivalentBuiltInParser: _ASim_DhcpEvent_Native
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    disabled:bool = false
+  )
+  {
+    ASimDhcpEventLogs
+    | where not(disabled)
+    | project-rename
+        EventUid = _ItemId
+    | extend          
+        EventSchema = "DhcpEvent",
+        DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)
+    //  -- Aliases
+    | extend
+        EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),
+        EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),
+        Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),
+        Rule = coalesce(RuleName, tostring(RuleNumber)),
+        SessionId = DhcpSessionId,
+        Duration = DhcpSessionDuration,
+        Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),
+        User = SrcUsername,
+        IpAddr = SrcIpAddr,
+        Hostname = SrcHostname
+  };
+  parser (disabled = disabled)
--- a/Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml
+++ b/Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml
@ -5,7 +5,7 @@ Parser:
 Product:
  Name: Source agnostic
 Normalization:
-  Schema: Dhcp
+  Schema: DhcpEvent
  Version: '0.1'
 References:
 - Title: ASIM Dhcp Event Schema
@ -48,10 +48,8 @@ ParserQuery: |
    starttime:datetime=datetime(null), 
    endtime:datetime=datetime(null),
    srcipaddr_has_any_prefix:dynamic=dynamic([]),
-    ipaddr_has_any_prefix:dynamic=dynamic([]),
-    url_has_any:dynamic=dynamic([]), 
-    httpuseragent_has_any:dynamic=dynamic([]), 
-    eventresultdetails_in:dynamic=dynamic([]),
+    srchostname_has_any:dynamic=dynamic([]),
+    srcusername_has_any:dynamic=dynamic([]),
    eventresult:string='*',
    pack:bool=false)
  {
--- a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventEmpty.yaml
+++ b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventEmpty.yaml
@ -5,7 +5,7 @@ Parser:
 Product:
  Name: Microsoft
 Normalization:
-  Schema: Dhcp
+  Schema: DhcpEvent
  Version: '0.1'
 References:
 - Title: ASIM Dhcp Event Schema
--- a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventNative.yaml
+++ b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventNative.yaml
@ -0,0 +1,86 @@
+Parser:
+  Title: Dhcp Event ASIM filtering parser for Microsoft Sentinel native Dhcp Event table
+  Version: '0.1.0'
+  LastUpdated: Mar 12 2024
+Product:
+  Name: Native
+Normalization:
+  Schema: DhcpEvent
+  Version: '0.1'
+References:
+- Title: ASIM Dhcp Event Schema
+  Link: https://aka.ms/ASimDhcpEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports filtering and normalizing the native Dhcp Event table (ASimDhcpEventLogs) to the ASIM Dhcp Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
+ParserName: vimDhcpEventNative
+EquivalentBuiltInParser: _Im_DhcpEvent_Native
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: srchostname_has_any
+    Type: dynamic 
+    Default: dynamic([])
+  - Name: srcusername_has_any
+    Type: dynamic 
+    Default: dynamic([])
+  - Name: eventresult
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    starttime:datetime=datetime(null), 
+    endtime:datetime=datetime(null),
+    srcipaddr_has_any_prefix:dynamic=dynamic([]),
+    srchostname_has_any:dynamic=dynamic([]),
+    srcusername_has_any:dynamic=dynamic([]),
+    eventresult:string='*',
+    disabled:bool=false)
+  )
+  {
+    ASimDhcpEventLogs
+    | where not(disabled)
+    | where (isnull(starttime) or TimeGenerated >= starttime) 
+        and (isnull(endtime) or TimeGenerated <= endtime)
+        and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))
+        and (array_length(srchostname_has_any) == 0 or (SrcHostname has_any (srchostname_has_any)))
+        and (array_length(srcusername_has_any) == 0 or (SrcUsername has_any (srcusername_has_any)))
+        and (eventresult == "*" or EventResult == eventresult)
+    | project-rename
+        EventUid = _ItemId
+    | extend          
+        EventSchema = "DhcpEvent",
+        DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)
+    //  -- Aliases
+    | extend
+        EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),
+        EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),
+        Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),
+        Rule = coalesce(RuleName, tostring(RuleNumber)),
+        SessionId = DhcpSessionId,
+        Duration = DhcpSessionDuration,
+        Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),
+        User = SrcUsername,
+        IpAddr = SrcIpAddr,
+        Hostname = SrcHostname
+  };
+  parser (
+      starttime                = starttime,
+      endtime                  = endtime,
+      srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
+      srchostname_has_any      = srchostname_has_any,
+      srcusername_has_any      = srcusername_has_any,
+      eventresult              = eventresult,
+      disabled                 = disabled
+  )