Initial

Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json

@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimWebSessions",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM parser",
+            "category": "Security",
+            "FunctionAlias": "ASimWebSessions",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimWebParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(){\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ASimWebSessionSquidProxy' in (DisabledParsers))),\n  ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ASimWebSessionZscalerZIA' in (DisabledParsers)))\n};\nparser\n",
+            "version": 1
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/ASimWebSession/README.md

@@ -0,0 +1,16 @@
+# Source agnostic ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Source agnostic.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSession%2FASimWebSession.json)

Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimWebSessionSquidProxy",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM parser for Squid Proxy",
+            "category": "Security",
+            "FunctionAlias": "ASimWebSessionSquidProxy",
+            "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n  | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n  | extend\n    EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n    NetworkDuration = toint(AccessRawLog[1]), \n    SrcIpAddr = tostring(AccessRawLog[2]), \n    EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n    EventResultDetails = toint(AccessRawLog[4]), \n    DstBytes = toint(AccessRawLog[5]), \n    HttpRequestMethod = tostring(AccessRawLog[6]), \n    Url = tostring(AccessRawLog[7]), \n    SrcUsername = tostring(AccessRawLog[8]), \n    DstIpAddr = tostring(AccessRawLog[10]), \n    HttpContentType = tostring(AccessRawLog[11]) \n  // -- Constant fields\n  | extend \n    EventCount = int(1), \n    EventProduct = 'Squid Proxy', \n    EventVendor = 'Apache', \n    EventSchema = 'WebSession', \n    EventSchemaVersion = '0.1.0', \n    EventType = 'HTTPsession' \n  // -- Value normalization\n  | extend\n    UsernameType = \"Unknown\",\n    SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n    HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n    EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  // -- aliases\n  | extend \n    EventStartTime = EventEndTime,\n    Duration = NetworkDuration,\n    HttpStatusCode = EventResultDetails,\n    User = SrcUsername,\n    IpAddr = SrcIpAddr\n  | project-away AccessRawLog, RawData\n};\nparser (disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/README.md

@@ -0,0 +1,16 @@
+# Squid Proxy ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Squid Proxy.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionSquidProxy%2FASimWebSessionSquidProxy.json)

Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimWebSessionZscalerZIA",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM parser for Zscaler ZIA",
+            "category": "Security",
+            "FunctionAlias": "ASimWebSessionZscalerZIA",
+            "query": "let parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n  EventCount=int(1), \n  EventStartTime=TimeGenerated,  \n  EventVendor = \"Zscaler\", \n  EventProduct = \"ZIA\", \n  EventSchema = \"WebSession\", \n  EventSchemaVersion=\"0.1.0\", \n  EventType = 'HTTPsession',\n  EventEndTime=TimeGenerated\n| project-rename\n  DvcAction = DeviceAction,\n  DvcHostname = Computer,\n  EventProductVersion = DeviceVersion,\n  NetworkApplicationProtocol = ApplicationProtocol,\n  HttpContentType = FileType,\n  HttpUserAgent = RequestClientApplication,\n  HttpRequestMethod = RequestMethod,\n  DstAppName = DestinationServiceName,\n  DstIpAddr = DestinationIP,\n  DstFQDN = DestinationHostName,\n  DstBytes = ReceivedBytes,\n  SrcIpAddr = SourceIP,\n  SrcUsername = SourceUserName,\n  SrcNatIpAddr= SourceTranslatedAddress,\n  SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n  SrcBytes = SentBytes,\n  ThreatRiskLevel = DeviceCustomNumber1,\n  UrlCategory = DeviceCustomString2,\n  ThreatName = DeviceCustomString5,\n  FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n    \"reason=\" EventResultOriginalDetails:string \";\"\n    \"outcome=\" EventResultDetails:int \";\"\n    \"cat=\" * \";\"\n    \"rulelabel=\" RuleName:string \";\"\n    \"ruletype=\" ruletype:string \";\"\n    \"urlclass=\" urlclass:string \";\"\n    \"devicemodel=\" * \n// -- Calculated fields\n| extend\n  Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n  UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n  ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n  RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n  FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n  HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n  DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n  DstFQDNparts = split (DstFQDN, \".\")\n| extend\n  DstHostname = DstFQDNparts[0],\n  DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\")\n// -- Enrichment\n| extend\n  EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n  DstAppType = \"SaaS application\",\n  DstFQDN = \"FQDN\",\n  SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n  Dvc = DvcHostname,\n  UserAgent = HttpUserAgent,\n  User = SrcUsername,\n  HttpStatusCode = EventResultDetails,\n  IpAddr = SrcNatIpAddr,\n  Hash = FileMD5,\n  FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n  DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/README.md

@@ -0,0 +1,16 @@
+# Zscaler ZIA ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Zscaler ZIA.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionzScalerZIA%2FASimWebSessionzScalerZIA.json)

Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json

@@ -0,0 +1,156 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSession",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionSquidProxy",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionzScalerZIA",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedimWebSession",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionEmpty",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionEmpty.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionSquidProxy",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionzScalerZIA",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {}
+}

Parsers/ASimWebSession/ARM/imWebSession/README.md

@@ -0,0 +1,16 @@
+# Source agnostic ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Source agnostic.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FimWebSession%2FimWebSession.json)

Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimWebSession",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM filtering parser",
+            "category": "Security",
+            "FunctionAlias": "ASimWebSession",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'vimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('vimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n  starttime:datetime=datetime(null), \n  endtime:datetime=datetime(null),\n  srcipaddr_has_any_prefix:dynamic=dynamic([]),\n  url_has_any:dynamic=dynamic([]), \n  httpuseragent_has_any:dynamic=dynamic([]), \n  eventresultdetails_in:dynamic=dynamic([]),\n  eventresult:string='*')\n{\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  vimWebSessionSquidProxy (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionSquidProxy' in (DisabledParsers))),\n  vimWebSessionZscalerZIA (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionZscalerZIA' in (DisabledParsers)))\n};\nparser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string=''*'', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/vimWebSessionEmpty/README.md

@@ -0,0 +1,16 @@
+# Microsoft ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Microsoft.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionEmpty%2FvimWebSessionEmpty.json)

Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/README.md

@@ -0,0 +1,16 @@
+# Squid Proxy ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Squid Proxy.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionSquidProxy%2FvimWebSessionSquidProxy.json)

Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimWebSessionSquidProxy",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM filtering parser for Squid Proxy",
+            "category": "Security",
+            "FunctionAlias": "vimWebSessionSquidProxy",
+            "query": "let parser = (\n  starttime:datetime=datetime(null), \n  endtime:datetime=datetime(null),\n  srcipaddr_has_any_prefix:dynamic=dynamic([]), \n  url_has_any:dynamic=dynamic([]),\n  httpuseragent_has_any:dynamic=dynamic([]),\n  eventresultdetails_in:dynamic=dynamic([]),\n  eventresult:string='*',\n  disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n  // -- Pre filtering\n  | where  \n    (isnull(starttime) or TimeGenerated >= starttime) \n    and (isnull(endtime) or TimeGenerated <= endtime) \n    and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n    and ((array_length(httpuseragent_has_any) == 0) or (RawData has_any (httpuseragent_has_any)))\n    and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n    and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n  // -- Parse\n  | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n  // -- Post filtering\n  | extend EventResultDetails = toint(AccessRawLog[4])\n  | where array_length(eventresultdetails_in) == 0 or eventresult in (eventresultdetails_in)\n  | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n  | extend EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  | where eventresult == \"*\" or eventresult == EventResultDetails\n  // -- Map\n  | extend\n    EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n    NetworkDuration = toint(AccessRawLog[1]), \n    SrcIpAddr = tostring(AccessRawLog[2]), \n    DstBytes = toint(AccessRawLog[5]), \n    HttpRequestMethod = tostring(AccessRawLog[6]), \n    Url = tostring(AccessRawLog[7]), \n    SrcUsername = tostring(AccessRawLog[8]), \n    DstIpAddr = tostring(AccessRawLog[10]), \n    HttpContentType = tostring(AccessRawLog[11]) \n  // -- Constant fields\n  | extend \n    EventCount = int(1), \n    EventProduct = 'Squid Proxy', \n    EventVendor = 'Apache', \n    EventSchema = 'WebSession', \n    EventSchemaVersion = '0.1.0', \n    EventType = 'HTTPsession' \n  // -- Value normalization\n  | extend\n    UsernameType = \"Unknown\",\n    SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n    HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n    EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  // -- aliases\n  | extend \n    EventStartTime = EventEndTime,\n    Duration = NetworkDuration,\n    HttpStatusCode = EventResultDetails,\n    User = SrcUsername,\n    IpAddr = SrcIpAddr\n  | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string=''*'', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/README.md

@@ -0,0 +1,16 @@
+# Zscaler ZIA ASIM WebSession Normalization Parser
+
+This template deploys the ASIM WebSession schema parser for Zscaler ZIA.
+
+The Advanced SEIM Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionzScalerZIA%2FvimWebSessionzScalerZIA.json)

Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimWebSessionZscalerZIA",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM filtering parser for Zscaler ZIA",
+            "category": "Security",
+            "FunctionAlias": "vimWebSessionZscalerZIA",
+            "query": "let remove_protocol_from_list = (list:dynamic) \n{\n    print list \n    | mv-apply l = print_0 to typeof(string) on\n    ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n    | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n  // -- Pre filtering\n| where  \n  (isnull(starttime) or TimeGenerated >= starttime) \n  and (isnull(endtime) or TimeGenerated <= endtime) \n  and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n  and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n  and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n  and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n    \"reason=\" EventResultOriginalDetails:string \";\"\n    \"outcome=\" EventResultDetails:string \";\"\n    \"cat=\" * \";\"\n    \"rulelabel=\" RuleName:string \";\"\n    \"ruletype=\" ruletype:string \";\"\n    \"urlclass=\" urlclass:string \";\"\n    \"devicemodel=\" * \n// -- Post filtering\n| where\n  ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n// -- Event fields\n| extend \n  EventCount=int(1), \n  EventStartTime=TimeGenerated,  \n  EventVendor = \"Zscaler\", \n  EventProduct = \"ZIA\", \n  EventSchema = \"WebSession\", \n  EventSchemaVersion=\"0.1.0\", \n  EventType = 'HTTPsession',\n  EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n  DvcAction = DeviceAction,\n  DvcHostname = Computer,\n  EventProductVersion = DeviceVersion,\n  NetworkApplicationProtocol = ApplicationProtocol,\n  HttpContentType = FileType,\n  HttpUserAgent = RequestClientApplication,\n  HttpRequestMethod = RequestMethod,\n  DstAppName = DestinationServiceName,\n  DstIpAddr = DestinationIP,\n  DstFQDN = DestinationHostName,\n  DstBytes = ReceivedBytes,\n  SrcIpAddr = SourceIP,\n  SrcUsername = SourceUserName,\n  SrcNatIpAddr= SourceTranslatedAddress,\n  SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n  SrcBytes = SentBytes,\n  ThreatRiskLevel = DeviceCustomNumber1,\n  UrlCategory = DeviceCustomString2,\n  ThreatName = DeviceCustomString5,\n  FileMD5 = DeviceCustomString6\n// -- Calculated fields\n| extend\n  Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n  UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n  ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n  RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n  FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n  HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n  DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n  DstFQDNparts = split (DstFQDN, \".\")\n| extend\n  DstHostname = DstFQDNparts[0],\n  DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\")\n// -- Enrichment\n| extend\n  EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n  DstAppType = \"SaaS application\",\n  DstFQDN = \"FQDN\",\n  SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n  Dvc = DvcHostname,\n  UserAgent = HttpUserAgent,\n  User = SrcUsername,\n  HttpStatusCode = EventResultDetails,\n  IpAddr = SrcNatIpAddr,\n  Hash = FileMD5,\n  FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n  DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string=''*'', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}