Merge pull request #5319 from Azure/asim/fixing-qaws-errors

Asim/fixing qaws errors
This commit is contained in:
Ofer Shezaf 2022-06-16 15:15:04 +03:00 коммит произвёл GitHub
Родитель 7da1222613 513593f54a
Коммит 6bf12b274a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
37 изменённых файлов: 710 добавлений и 690 удалений

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table",
"category": "ASIM",
"FunctionAlias": "ASimDnsNative",
"query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n DvcHostname = SrcIpAddr\n};\nparser (disabled)",
"query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n DvcHostname = SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

Просмотреть файл

@ -18,6 +18,26 @@
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsGcp",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -38,6 +58,66 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftNXlog",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsInfobloxNIOS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -58,6 +138,146 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsCorelightZeek",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsZscalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftOMS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -81,11 +301,31 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsCorelightZeek",
"name": "linkedASimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -121,11 +361,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsInfobloxNIOS",
"name": "linkedASimDnsCorelightZeek",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -181,51 +421,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsMicrosoftSysmon",
"name": "linkedvimDnsCiscoUmbrella",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -258,6 +458,46 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsInfobloxNIOS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -277,246 +517,6 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsCiscoUmbrella",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsCorelightZeek",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsGcp",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsInfobloxNIOS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftNXlog",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftOMS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsZscalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
}
],
"outputs": {}

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table",
"category": "ASIM",
"FunctionAlias": "vimDnsNative",
"query": "let parser=\n (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n )\n {\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n SessionId=DnsSessionId\n };\n parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n",
"query": "let parser=\n (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n )\n {\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases here\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname\n };\n parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False"
}

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: DNS activity ASIM parser for Microsoft Sentinel native DNS table
Version: '0.2'
LastUpdated: Jan 3 2022
Version: '0.3'
LastUpdated: Jun 15 2022
Product:
Name: Native
Normalization:
@ -36,6 +36,11 @@ ParserQuery: |
Domain=DnsQuery,
IpAddr=SrcIpAddr,
Src=SrcIpAddr,
DvcHostname = SrcIpAddr
DvcHostname = SrcIpAddr,
Duration = DnsNetworkDuration,
Process = SrcProcessName,
SessionId = DnsSessionId,
User = SrcUsername,
Hostname = SrcHostname
};
parser (disabled)

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table
Version: '0.2'
LastUpdated: Jan 3 2022
Version: '0.3'
LastUpdated: Jun 15 2022
Product:
Name: Native
Normalization:
@ -77,14 +77,17 @@ ParserQuery: |
EventEndTime = TimeGenerated,
EventSchema = "Dns",
EventSchemaVersion="0.1.3"
// -- Aliases
// -- Aliases here
| extend
Dvc = DvcHostname,
DnsResponseCodeName=EventResultDetails,
Domain=DnsQuery,
IpAddr=SrcIpAddr,
Src=SrcIpAddr,
Duration=DnsNetworkDuration,
SessionId=DnsSessionId
SessionId=DnsSessionId,
Duration = DnsNetworkDuration,
Process = SrcProcessName,
User = SrcUsername,
Hostname = SrcHostname
};
parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for AWS VPC logs",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionAWSVPC",
"query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus != \"NODATA\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n};\nparser (disabled)",
"query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for Sysmon for Linux",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionLinuxSysmon",
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork",
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Ountbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork",
"version": 1,
"functionParameters": "disabled:bool=False"
}

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for Zscaler ZIA Firewall",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionZscalerZIA",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (disabled)",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

Просмотреть файл

@ -18,46 +18,6 @@
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -81,51 +41,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -161,11 +81,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedimNetworkSession",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -181,11 +101,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoft365Defender",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -201,11 +121,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAWSVPC",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -221,91 +141,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -361,31 +201,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAzureNSG",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -421,11 +241,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftLinuxSysmon",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -441,11 +261,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"name": "linkedASimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -461,11 +281,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionCiscoMeraki",
"name": "linkedimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -481,11 +301,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"name": "linkedASimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -501,11 +321,91 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"name": "linkedASimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -541,11 +441,111 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall",
"category": "ASIM",
"FunctionAlias": "vimNetworkSessionZscalerZIA",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for AWS VPC logs
Version: '0.1'
LastUpdated: Feb 07, 2021
Version: '0.2'
LastUpdated: Jun 16, 2021
Product:
Name: AWS VPC
Normalization:
@ -183,7 +183,7 @@ ParserQuery: |
];
let parser = (disabled:bool=false){
AWSVPCFlow | where not(disabled)
| where LogStatus != "NODATA"
| where LogStatus == "OK"
| extend
EventVendor="AWS",
EventProduct="VPC",

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for M365 Defender for Endpoint
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: M365 Defender for Endpoint
Normalization:
@ -181,7 +181,7 @@ ParserQuery: |
;
union InboundNetworkEvents, OutboundNetworkEvents
| extend // aliases
Hostname = UrlHostname,
Hostname = tostring(UrlHostname),
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for Sysmon for Linux
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Sysmon for Linux
Normalization:
@ -70,43 +70,44 @@ ParserQuery: |
SrcAppType = 'Process'
| project-away SyslogMessage
;
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.0',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.0',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
NetworkDirection = iff(outbound, "Ountbound", "Inbound"),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for VM connection information collected using the Log Analytics Agent
Version: '0.1'
LastUpdated: Feb 6, 2022
Version: '0.2'
LastUpdated: Jun 15, 2022
Product:
Name: VMConnection
Normalization:
@ -38,6 +38,7 @@ ParserQuery: |
| where Direction == "outbound"
| extend
SrcAppType = "Process",
SrcDvcIdType = "VMConnectionId",
SrcHostnameType = "Simple",
DstGeoCountry = RemoteCountry,
DstGeoLongitude = RemoteLongitude,
@ -119,6 +120,7 @@ ParserQuery: |
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.2",
EventType = "EndpointNetworkSession",
NetworkDirection = iff(Direction=="inbound", "Inbound", "Outbound"),
EventEndTime = TimeGenerated
| project-rename
DstIpAddr = DestinationIp,
@ -126,7 +128,6 @@ ParserQuery: |
SrcIpAddr = SourceIp,
NetworkSessionId = ConnectionId,
ThreatName = IndicatorThreatType,
NetworkDirection = Direction,
RemoteGeoCountry = RemoteCountry,
RemoteGeoLatitude = RemoteLatitude,
RemoteGeoLongitude = RemoteLongitude,

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for Zscaler ZIA Firewall
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Zscaler ZIA Firewall
Normalization:
@ -72,7 +72,7 @@ ParserQuery: |
SrcUserLocation = SourceUserPrivileges, // Not in standard schema
ThreatName = DeviceCustomString6,
ThreatCategory = DeviceCustomString5,
RuleName = Activity
NetworkRuleName = Activity
// -- Calculated fields
| lookup ActionLookup on DvcOriginalAction
| extend
@ -101,6 +101,7 @@ ParserQuery: |
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr,
Rule = NetworkRuleName,
Duration = NetworkDuration
| project-away
DeviceCustom*

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for AWS VPC logs
Version: '0.1'
LastUpdated: Feb 08, 2021
Version: '0.2'
LastUpdated: Jun 16, 2021
Product:
Name: AWS VPC
Normalization:
@ -227,7 +227,7 @@ ParserQuery: |
| where(isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where not(disabled)
| where LogStatus != "NODATA"
| where LogStatus == "OK"
// -- Pre-filtering:
| where
(isnull(dstportnumber) or (DstPort == dstportnumber))

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for M365 Defender for Endpoint
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: M365 Defender for Endpoint
Normalization:
@ -259,7 +259,7 @@ ParserQuery: |
;
union InboundNetworkEvents, OutboundNetworkEvents
| extend // aliases
Hostname = UrlHostname,
Hostname = tostring(UrlHostname),
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for Sysmon for Linux
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Sysmon for Linux
Normalization:
@ -139,59 +139,60 @@ ParserQuery: |
SrcAppType = 'Process'
| project-away SyslogMessage
;
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
// *************** Postfilterring ***************************************************************
| where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )
and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)
// *************** Postfilterring ***************************************************************
| extend
temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)
, temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case
, (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual
, temp_isSrcMatch, "SrcIpAddr"
, temp_isDstMatch, "DstIpAddr"
, "No match"
)
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.3',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
// *************** Postfilterring ***************************************************************
| where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )
and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)
// *************** Postfilterring ***************************************************************
| extend
temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)
, temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case
, (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual
, temp_isSrcMatch, "SrcIpAddr"
, temp_isDstMatch, "DstIpAddr"
, "No match"
)
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.3',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
NetworkDirection = iff(outbound, "Ountbound", "Inbound"),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for VM connection information collected using the Log Analytics Agent
Version: '0.1'
LastUpdated: Feb 6, 2022
Version: '0.2'
LastUpdated: Jun 15, 2022
Product:
Name: VMConnection
Normalization:
@ -121,6 +121,7 @@ ParserQuery: |
| project-away temp_*
| extend
SrcAppType = "Process",
SrcDvcIdType = "VMConnectionId",
SrcHostnameType = "Simple",
DstGeoCountry = RemoteCountry,
DstGeoLongitude = RemoteLongitude,
@ -231,6 +232,8 @@ ParserQuery: |
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.3",
EventType = "EndpointNetworkSession",
DvcIdType = "VMConnectionId",
NetworkDirection = iff(Direction=="inbound", "Inbound", "Outbound"),
EventEndTime = TimeGenerated
| project-rename
DstIpAddr = DestinationIp,
@ -238,7 +241,6 @@ ParserQuery: |
SrcIpAddr = SourceIp,
NetworkSessionId = ConnectionId,
ThreatName = IndicatorThreatType,
NetworkDirection = Direction,
RemoteGeoCountry = RemoteCountry,
RemoteGeoLatitude = RemoteLatitude,
RemoteGeoLongitude = RemoteLongitude,

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for Zscaler ZIA firewall
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Zscaler ZIA Firewall
Normalization:
@ -132,7 +132,7 @@ ParserQuery: |
SrcUserLocation = SourceUserPrivileges, // Not in standard schema
ThreatName = DeviceCustomString6,
ThreatCategory = DeviceCustomString5,
RuleName = Activity
NetworkRuleName = Activity
// -- Calculated fields
| extend
// -- Adjustment to support both old and new CSL fields.
@ -159,6 +159,7 @@ ParserQuery: |
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr,
Rule = NetworkRuleName,
Duration = NetworkDuration
| project-away
DeviceCustom*

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Web Session ASIM parser for Squid Proxy",
"category": "ASIM",
"FunctionAlias": "ASimWebSessionSquidProxy",
"query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (disabled)\n",
"query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Web Session ASIM parser for Zscaler ZIA",
"category": "ASIM",
"FunctionAlias": "ASimWebSessionZscalerZIA",
"query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = toint(SentBytes),\n DstBytes = toint(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)",
"query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

Просмотреть файл

@ -18,6 +18,26 @@
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimWebSessionSquidProxy",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -41,31 +61,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimWebSessionSquidProxy",
"name": "linkedvimWebSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimWebSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -121,11 +121,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimWebSessionSquidProxy",
"name": "linkedASimWebSessionSquidProxy",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -141,11 +141,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimWebSessionzScalerZIA",
"name": "linkedASimWebSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Web Session ASIM filtering parser for Squid Proxy",
"category": "ASIM",
"FunctionAlias": "vimWebSessionSquidProxy",
"query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\n",
"query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM parser for Squid Proxy
Version: '0.2'
LastUpdated: Jan 13, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: Squid Proxy
Normalization:
@ -28,13 +28,15 @@ ParserQuery: |
let parser=(disabled:bool=false){
SquidProxy_CL | where not(disabled)
| extend AccessRawLog = extract_all(@"^(\d+\.\d+)\s+(\d+)\s(\S+)\s([A-Z_]+)\/(\d+)\s(\d+)\s([A-Z]+)\s(\S+)\s(\S+)\s([A-Z_]+)\/(\S+)\s(\S+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]
| project-rename
Dvc = Computer
| extend
EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000),
NetworkDuration = toint(AccessRawLog[1]),
SrcIpAddr = tostring(AccessRawLog[2]),
EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), ";", PeerStatus = tostring(AccessRawLog[9])),
EventResultDetails = tostring(AccessRawLog[4]),
DstBytes = toint(AccessRawLog[5]),
DstBytes = tolong(AccessRawLog[5]),
HttpRequestMethod = tostring(AccessRawLog[6]),
// -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.
Url = tostring(AccessRawLog[7]),
@ -51,7 +53,7 @@ ParserQuery: |
EventType = 'HTTPsession'
// -- Value normalization
| extend
UsernameType = "Unknown",
SrcUsernameType = "Unknown",
SrcUsername = iff (SrcUsername == "-", "", SrcUsername),
HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType),
EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, "Failure", "Success"),

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM parser for Zscaler ZIA
Version: '0.2'
LastUpdated: Jan 13, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: Zscaler ZIA
Normalization:
@ -83,8 +83,8 @@ ParserQuery: |
toint(column_ifexists("DeviceCustomNumber1",int(null)))
),
DvcHostname = tostring(Computer),
SrcBytes = toint(SentBytes),
DstBytes = toint(ReceivedBytes),
SrcBytes = tolong(SentBytes),
DstBytes = tolong(ReceivedBytes),
Url = iff (RequestURL == "", "", strcat (tolower(NetworkApplicationProtocol), "://", url_decode(RequestURL))),
UrlCategory = strcat (urlclass, "/", UrlCategory),
ThreatCategory = iff(DeviceCustomString4 == "None", "", strcat (DeviceCustomString3, "/", DeviceCustomString4)),
@ -108,6 +108,7 @@ ParserQuery: |
// -- Aliases
| extend
Dvc = DvcHostname,
Hostname = DstHostname,
UserAgent = HttpUserAgent,
User = SrcUsername,
HttpStatusCode = EventResultDetails,

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM schema function
Version: '0.2'
LastUpdated: Jan 13, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: Microsoft
Normalization:
@ -121,12 +121,12 @@ ParserQuery: |
, Duration:int // Alias
, NetworkIcmpCode:int // Optional
, NetworkIcmpType:string // Optional
, DstBytes:int // Optional
, SrcBytes:int // Optional
, NetworkBytes:int // Optional
, DstPackets:int // Optional
, SrcPackets:int // Optional
, NetworkPackets:int // Optional
, DstBytes:long // Optional
, SrcBytes:long // Optional
, NetworkBytes:long // Optional
, DstPackets:long // Optional
, SrcPackets:long // Optional
, NetworkPackets:long // Optional
, NetworkSessionId:string // Optional
, SessionId:string // Alias
, NetworkConnectionHistory:string // Optional

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM filtering parser for Squid Proxy
Version: '0.5'
LastUpdated: Jan 13, 2022
Version: '0.6'
LastUpdated: Jun 15, 2022
Product:
Name: Squid Proxy
Normalization:
@ -79,11 +79,13 @@ ParserQuery: |
| extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, "Failure", "Success")
| where eventresult == "*" or eventresult == EventResult
// -- Map
| project-rename
Dvc = Computer
| extend
EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000),
NetworkDuration = toint(AccessRawLog[1]),
SrcIpAddr = tostring(AccessRawLog[2]),
DstBytes = toint(AccessRawLog[5]),
DstBytes = tolong(AccessRawLog[5]),
HttpRequestMethod = tostring(AccessRawLog[6]),
// -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.
Url = tostring(AccessRawLog[7]),
@ -114,7 +116,7 @@ ParserQuery: |
EventType = 'HTTPsession'
// -- Value normalization
| extend
UsernameType = "Unknown",
SrcUsernameType = "Unknown",
SrcUsername = iff (SrcUsername == "-", "", SrcUsername),
HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType),
DstIpAddrIsHost = DstIpAddr matches regex @"^[^\:]*[a-zA-Z]$"

Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM filtering parser for Zscaler ZIA
Version: '0.4'
LastUpdated: Jan 13, 2022
Version: '0.5'
LastUpdated: Jun 15, 2022
Product:
Name: Zscaler ZIA Proxy
Normalization:
@ -160,8 +160,8 @@ ParserQuery: |
DstAppName = iff (DstAppName == "General Browsing", "", DstAppName),
DstFQDNparts = split (DstFQDN, "."),
DstHostnameNotAddr = DstIpAddr != DstFQDN,
DstBytes = toint(ReceivedBytes),
SrcBytes = toint(SentBytes),
DstBytes = tolong(ReceivedBytes),
SrcBytes = tolong(SentBytes),
DvcHostname = tostring(Computer)
| extend
DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),
@ -176,6 +176,7 @@ ParserQuery: |
// -- Aliases
| extend
Dvc = DvcHostname,
Hostname = DstHostname,
UserAgent = HttpUserAgent,
User = SrcUsername,
HttpStatusCode = EventResultDetails,
@ -183,7 +184,6 @@ ParserQuery: |
Src = SrcNatIpAddr,
Dst = DstFQDN,
Hash = FileMD5,
Hostname = DstHostname,
FileHashType = iff(FileMD5 == "", "", "MD5")
| project-away
DstFQDNparts, AdditionalExtensions, DeviceCustom*