Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #5319 from Azure/asim/fixing-qaws-errors 

Asim/fixing qaws errors
This commit is contained in:
Ofer Shezaf 2022-06-16 15:15:04 +03:00 коммит произвёл GitHub
Родитель 7da1222613 513593f54a
Коммит 6bf12b274a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
37 изменённых файлов: 710 добавлений и 690 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table",
"category": "ASIM",
"FunctionAlias": "ASimDnsNative",
"query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n DvcHostname = SrcIpAddr\n};\nparser (disabled)",
"query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n DvcHostname = SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

572
Parsers/ASimDns/ARM/FullDeploymentDns.json
Просмотреть файл

@ -18,6 +18,26 @@
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsGcp",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -38,6 +58,66 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftNXlog",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsInfobloxNIOS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -58,6 +138,146 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsCorelightZeek",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsZscalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftOMS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -81,11 +301,31 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsCorelightZeek",
"name": "linkedASimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -121,11 +361,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsInfobloxNIOS",
"name": "linkedASimDnsCorelightZeek",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -181,51 +421,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsMicrosoftSysmon",
"name": "linkedvimDnsCiscoUmbrella",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -258,6 +458,46 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsInfobloxNIOS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -277,246 +517,6 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsCiscoUmbrella",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsCorelightZeek",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsGcp",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsInfobloxNIOS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftNXlog",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftOMS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsNative",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsZscalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
}
],
"outputs": {}

2
Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table",
"category": "ASIM",
"FunctionAlias": "vimDnsNative",
"query": "let parser=\n (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n )\n {\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n SessionId=DnsSessionId\n };\n parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n",
"query": "let parser=\n (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n )\n {\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases here\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname\n };\n parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False"
}

11
Parsers/ASimDns/Parsers/ASimDnsNative.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: DNS activity ASIM parser for Microsoft Sentinel native DNS table
Version: '0.2'
LastUpdated: Jan 3 2022
Version: '0.3'
LastUpdated: Jun 15 2022
Product:
Name: Native
Normalization:
@ -36,6 +36,11 @@ ParserQuery: |
Domain=DnsQuery,
IpAddr=SrcIpAddr,
Src=SrcIpAddr,
DvcHostname = SrcIpAddr
DvcHostname = SrcIpAddr,
Duration = DnsNetworkDuration,
Process = SrcProcessName,
SessionId = DnsSessionId,
User = SrcUsername,
Hostname = SrcHostname
};
parser (disabled)

13
Parsers/ASimDns/Parsers/vimDnsNative.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table
Version: '0.2'
LastUpdated: Jan 3 2022
Version: '0.3'
LastUpdated: Jun 15 2022
Product:
Name: Native
Normalization:
@ -77,14 +77,17 @@ ParserQuery: |
EventEndTime = TimeGenerated,
EventSchema = "Dns",
EventSchemaVersion="0.1.3"
// -- Aliases
// -- Aliases here
| extend
Dvc = DvcHostname,
DnsResponseCodeName=EventResultDetails,
Domain=DnsQuery,
IpAddr=SrcIpAddr,
Src=SrcIpAddr,
Duration=DnsNetworkDuration,
SessionId=DnsSessionId
SessionId=DnsSessionId,
Duration = DnsNetworkDuration,
Process = SrcProcessName,
User = SrcUsername,
Hostname = SrcHostname
};
parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for AWS VPC logs",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionAWSVPC",
"query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus != \"NODATA\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n};\nparser (disabled)",
"query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for Sysmon for Linux",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionLinuxSysmon",
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork",
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Ountbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork",
"version": 1,
"functionParameters": "disabled:bool=False"
}

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for Zscaler ZIA Firewall",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionZscalerZIA",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (disabled)",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

408
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json
Просмотреть файл

@ -18,46 +18,6 @@
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -81,51 +41,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -161,11 +81,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedimNetworkSession",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -181,11 +101,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoft365Defender",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -201,11 +121,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAWSVPC",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -221,91 +141,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -361,31 +201,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAzureNSG",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -421,11 +241,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftLinuxSysmon",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -441,11 +261,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"name": "linkedASimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -461,11 +281,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionCiscoMeraki",
"name": "linkedimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -481,11 +301,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"name": "linkedASimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -501,11 +321,91 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"name": "linkedASimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -541,11 +441,111 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {

2
Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall",
"category": "ASIM",
"FunctionAlias": "vimNetworkSessionZscalerZIA",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}

6
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAWSVPC.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for AWS VPC logs
Version: '0.1'
LastUpdated: Feb 07, 2021
Version: '0.2'
LastUpdated: Jun 16, 2021
Product:
Name: AWS VPC
Normalization:
@ -183,7 +183,7 @@ ParserQuery: |
];
let parser = (disabled:bool=false){
AWSVPCFlow | where not(disabled)
| where LogStatus != "NODATA"
| where LogStatus == "OK"
| extend
EventVendor="AWS",
EventProduct="VPC",

6
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoft365Defender.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for M365 Defender for Endpoint
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: M365 Defender for Endpoint
Normalization:
@ -181,7 +181,7 @@ ParserQuery: |
;
union InboundNetworkEvents, OutboundNetworkEvents
| extend // aliases
Hostname = UrlHostname,
Hostname = tostring(UrlHostname),
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr

85
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for Sysmon for Linux
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Sysmon for Linux
Normalization:
@ -70,43 +70,44 @@ ParserQuery: |
SrcAppType = 'Process'
| project-away SyslogMessage
;
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.0',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.0',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
NetworkDirection = iff(outbound, "Ountbound", "Inbound"),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork

7
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMConnection.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for VM connection information collected using the Log Analytics Agent
Version: '0.1'
LastUpdated: Feb 6, 2022
Version: '0.2'
LastUpdated: Jun 15, 2022
Product:
Name: VMConnection
Normalization:
@ -38,6 +38,7 @@ ParserQuery: |
| where Direction == "outbound"
| extend
SrcAppType = "Process",
SrcDvcIdType = "VMConnectionId",
SrcHostnameType = "Simple",
DstGeoCountry = RemoteCountry,
DstGeoLongitude = RemoteLongitude,
@ -119,6 +120,7 @@ ParserQuery: |
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.2",
EventType = "EndpointNetworkSession",
NetworkDirection = iff(Direction=="inbound", "Inbound", "Outbound"),
EventEndTime = TimeGenerated
| project-rename
DstIpAddr = DestinationIp,
@ -126,7 +128,6 @@ ParserQuery: |
SrcIpAddr = SourceIp,
NetworkSessionId = ConnectionId,
ThreatName = IndicatorThreatType,
NetworkDirection = Direction,
RemoteGeoCountry = RemoteCountry,
RemoteGeoLatitude = RemoteLatitude,
RemoteGeoLongitude = RemoteLongitude,

7
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM parser for Zscaler ZIA Firewall
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Zscaler ZIA Firewall
Normalization:
@ -72,7 +72,7 @@ ParserQuery: |
SrcUserLocation = SourceUserPrivileges, // Not in standard schema
ThreatName = DeviceCustomString6,
ThreatCategory = DeviceCustomString5,
RuleName = Activity
NetworkRuleName = Activity
// -- Calculated fields
| lookup ActionLookup on DvcOriginalAction
| extend
@ -101,6 +101,7 @@ ParserQuery: |
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr,
Rule = NetworkRuleName,
Duration = NetworkDuration
| project-away
DeviceCustom*

6
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionAWSVPC.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for AWS VPC logs
Version: '0.1'
LastUpdated: Feb 08, 2021
Version: '0.2'
LastUpdated: Jun 16, 2021
Product:
Name: AWS VPC
Normalization:
@ -227,7 +227,7 @@ ParserQuery: |
| where(isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where not(disabled)
| where LogStatus != "NODATA"
| where LogStatus == "OK"
// -- Pre-filtering:
| where
(isnull(dstportnumber) or (DstPort == dstportnumber))

6
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoft365Defender.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for M365 Defender for Endpoint
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: M365 Defender for Endpoint
Normalization:
@ -259,7 +259,7 @@ ParserQuery: |
;
union InboundNetworkEvents, OutboundNetworkEvents
| extend // aliases
Hostname = UrlHostname,
Hostname = tostring(UrlHostname),
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr

117
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftLinuxSysmon.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for Sysmon for Linux
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Sysmon for Linux
Normalization:
@ -139,59 +139,60 @@ ParserQuery: |
SrcAppType = 'Process'
| project-away SyslogMessage
;
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
// *************** Postfilterring ***************************************************************
| where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )
and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)
// *************** Postfilterring ***************************************************************
| extend
temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)
, temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case
, (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual
, temp_isSrcMatch, "SrcIpAddr"
, temp_isDstMatch, "DstIpAddr"
, "No match"
)
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.3',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork
let InboundNetworkEvents =
DirectionNetworkEvents
| where not(outbound)
| invoke parser ()
// *************** Postfilterring ***************************************************************
| where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )
and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)
// *************** Postfilterring ***************************************************************
| extend
temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)
, temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case
, (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual
, temp_isSrcMatch, "SrcIpAddr"
, temp_isDstMatch, "DstIpAddr"
, "No match"
)
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| extend
DstUsernameType = 'Simple',
DstUsername = User,
DstProcessId = ProcessId,
DstProcessGuid = ProcessGuid,
DstProcessName = Process,
DstAppName = Process,
DstAppType = 'Process'
| project-away SyslogMessage
;
let SysmonForLinuxNetwork=
union OutboundNetworkEvents, InboundNetworkEvents
| extend
EventType = 'NetworkSession',
EventStartTime = EventEndTime,
EventCount = int(1),
EventVendor = 'Microsoft',
EventSchemaVersion = '0.2.3',
EventSchema = 'NetworkSession',
EventProduct = 'Sysmon for Linux',
EventResult = 'Success',
EventSeverity = 'Informational',
DvcOs = 'Linux',
Protocol = toupper(Protocol),
NetworkDirection = iff(outbound, "Ountbound", "Inbound"),
EventOriginalType = '3' // Set with a constant value to avoid parsing
| project-rename
DvcIpAddr = HostIP,
DvcHostname = SysmonComputer
| extend // aliases
Dvc = DvcHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr
;
SysmonForLinuxNetwork

8
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMConnection.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for VM connection information collected using the Log Analytics Agent
Version: '0.1'
LastUpdated: Feb 6, 2022
Version: '0.2'
LastUpdated: Jun 15, 2022
Product:
Name: VMConnection
Normalization:
@ -121,6 +121,7 @@ ParserQuery: |
| project-away temp_*
| extend
SrcAppType = "Process",
SrcDvcIdType = "VMConnectionId",
SrcHostnameType = "Simple",
DstGeoCountry = RemoteCountry,
DstGeoLongitude = RemoteLongitude,
@ -231,6 +232,8 @@ ParserQuery: |
EventSchema = "NetworkSession",
EventSchemaVersion = "0.2.3",
EventType = "EndpointNetworkSession",
DvcIdType = "VMConnectionId",
NetworkDirection = iff(Direction=="inbound", "Inbound", "Outbound"),
EventEndTime = TimeGenerated
| project-rename
DstIpAddr = DestinationIp,
@ -238,7 +241,6 @@ ParserQuery: |
SrcIpAddr = SourceIp,
NetworkSessionId = ConnectionId,
ThreatName = IndicatorThreatType,
NetworkDirection = Direction,
RemoteGeoCountry = RemoteCountry,
RemoteGeoLatitude = RemoteLatitude,
RemoteGeoLongitude = RemoteLongitude,

7
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionzScalerZIA.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Network Session ASIM filtering parser for Zscaler ZIA firewall
Version: '0.2'
LastUpdated: Jan 17, 2022
Version: '0.3'
LastUpdated: Jun 16, 2022
Product:
Name: Zscaler ZIA Firewall
Normalization:
@ -132,7 +132,7 @@ ParserQuery: |
SrcUserLocation = SourceUserPrivileges, // Not in standard schema
ThreatName = DeviceCustomString6,
ThreatCategory = DeviceCustomString5,
RuleName = Activity
NetworkRuleName = Activity
// -- Calculated fields
| extend
// -- Adjustment to support both old and new CSL fields.
@ -159,6 +159,7 @@ ParserQuery: |
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
Dst = DstIpAddr,
Rule = NetworkRuleName,
Duration = NetworkDuration
| project-away
DeviceCustom*

2
Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Web Session ASIM parser for Squid Proxy",
"category": "ASIM",
"FunctionAlias": "ASimWebSessionSquidProxy",
"query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (disabled)\n",
"query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}

2
Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Web Session ASIM parser for Zscaler ZIA",
"category": "ASIM",
"FunctionAlias": "ASimWebSessionZscalerZIA",
"query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = toint(SentBytes),\n DstBytes = toint(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)",
"query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

52
Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json
Просмотреть файл

@ -18,6 +18,26 @@
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimWebSessionSquidProxy",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -41,31 +61,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimWebSessionSquidProxy",
"name": "linkedvimWebSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimWebSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -121,11 +121,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimWebSessionSquidProxy",
"name": "linkedASimWebSessionSquidProxy",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -141,11 +141,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimWebSessionzScalerZIA",
"name": "linkedASimWebSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {

2
Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Web Session ASIM filtering parser for Squid Proxy",
"category": "ASIM",
"FunctionAlias": "vimWebSessionSquidProxy",
"query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\n",
"query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}

2
Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

10
Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM parser for Squid Proxy
Version: '0.2'
LastUpdated: Jan 13, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: Squid Proxy
Normalization:
@ -28,13 +28,15 @@ ParserQuery: |
let parser=(disabled:bool=false){
SquidProxy_CL | where not(disabled)
| extend AccessRawLog = extract_all(@"^(\d+\.\d+)\s+(\d+)\s(\S+)\s([A-Z_]+)\/(\d+)\s(\d+)\s([A-Z]+)\s(\S+)\s(\S+)\s([A-Z_]+)\/(\S+)\s(\S+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]
| project-rename
Dvc = Computer
| extend
EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000),
NetworkDuration = toint(AccessRawLog[1]),
SrcIpAddr = tostring(AccessRawLog[2]),
EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), ";", PeerStatus = tostring(AccessRawLog[9])),
EventResultDetails = tostring(AccessRawLog[4]),
DstBytes = toint(AccessRawLog[5]),
DstBytes = tolong(AccessRawLog[5]),
HttpRequestMethod = tostring(AccessRawLog[6]),
// -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.
Url = tostring(AccessRawLog[7]),
@ -51,7 +53,7 @@ ParserQuery: |
EventType = 'HTTPsession'
// -- Value normalization
| extend
UsernameType = "Unknown",
SrcUsernameType = "Unknown",
SrcUsername = iff (SrcUsername == "-", "", SrcUsername),
HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType),
EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, "Failure", "Success"),

9
Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM parser for Zscaler ZIA
Version: '0.2'
LastUpdated: Jan 13, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: Zscaler ZIA
Normalization:
@ -83,8 +83,8 @@ ParserQuery: |
toint(column_ifexists("DeviceCustomNumber1",int(null)))
),
DvcHostname = tostring(Computer),
SrcBytes = toint(SentBytes),
DstBytes = toint(ReceivedBytes),
SrcBytes = tolong(SentBytes),
DstBytes = tolong(ReceivedBytes),
Url = iff (RequestURL == "", "", strcat (tolower(NetworkApplicationProtocol), "://", url_decode(RequestURL))),
UrlCategory = strcat (urlclass, "/", UrlCategory),
ThreatCategory = iff(DeviceCustomString4 == "None", "", strcat (DeviceCustomString3, "/", DeviceCustomString4)),
@ -108,6 +108,7 @@ ParserQuery: |
// -- Aliases
| extend
Dvc = DvcHostname,
Hostname = DstHostname,
UserAgent = HttpUserAgent,
User = SrcUsername,
HttpStatusCode = EventResultDetails,

16
Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM schema function
Version: '0.2'
LastUpdated: Jan 13, 2022
Version: '0.3'
LastUpdated: Jun 15, 2022
Product:
Name: Microsoft
Normalization:
@ -121,12 +121,12 @@ ParserQuery: |
, Duration:int // Alias
, NetworkIcmpCode:int // Optional
, NetworkIcmpType:string // Optional
, DstBytes:int // Optional
, SrcBytes:int // Optional
, NetworkBytes:int // Optional
, DstPackets:int // Optional
, SrcPackets:int // Optional
, NetworkPackets:int // Optional
, DstBytes:long // Optional
, SrcBytes:long // Optional
, NetworkBytes:long // Optional
, DstPackets:long // Optional
, SrcPackets:long // Optional
, NetworkPackets:long // Optional
, NetworkSessionId:string // Optional
, SessionId:string // Alias
, NetworkConnectionHistory:string // Optional

10
Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM filtering parser for Squid Proxy
Version: '0.5'
LastUpdated: Jan 13, 2022
Version: '0.6'
LastUpdated: Jun 15, 2022
Product:
Name: Squid Proxy
Normalization:
@ -79,11 +79,13 @@ ParserQuery: |
| extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, "Failure", "Success")
| where eventresult == "*" or eventresult == EventResult
// -- Map
| project-rename
Dvc = Computer
| extend
EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000),
NetworkDuration = toint(AccessRawLog[1]),
SrcIpAddr = tostring(AccessRawLog[2]),
DstBytes = toint(AccessRawLog[5]),
DstBytes = tolong(AccessRawLog[5]),
HttpRequestMethod = tostring(AccessRawLog[6]),
// -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.
Url = tostring(AccessRawLog[7]),
@ -114,7 +116,7 @@ ParserQuery: |
EventType = 'HTTPsession'
// -- Value normalization
| extend
UsernameType = "Unknown",
SrcUsernameType = "Unknown",
SrcUsername = iff (SrcUsername == "-", "", SrcUsername),
HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType),
DstIpAddrIsHost = DstIpAddr matches regex @"^[^\:]*[a-zA-Z]$"

10
Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Parser:
Title: Web Session ASIM filtering parser for Zscaler ZIA
Version: '0.4'
LastUpdated: Jan 13, 2022
Version: '0.5'
LastUpdated: Jun 15, 2022
Product:
Name: Zscaler ZIA Proxy
Normalization:
@ -160,8 +160,8 @@ ParserQuery: |
DstAppName = iff (DstAppName == "General Browsing", "", DstAppName),
DstFQDNparts = split (DstFQDN, "."),
DstHostnameNotAddr = DstIpAddr != DstFQDN,
DstBytes = toint(ReceivedBytes),
SrcBytes = toint(SentBytes),
DstBytes = tolong(ReceivedBytes),
SrcBytes = tolong(SentBytes),
DvcHostname = tostring(Computer)
| extend
DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),
@ -176,6 +176,7 @@ ParserQuery: |
// -- Aliases
| extend
Dvc = DvcHostname,
Hostname = DstHostname,
UserAgent = HttpUserAgent,
User = SrcUsername,
HttpStatusCode = EventResultDetails,
@ -183,7 +184,6 @@ ParserQuery: |
Src = SrcNatIpAddr,
Dst = DstFQDN,
Hash = FileMD5,
Hostname = DstHostname,
FileHashType = iff(FileMD5 == "", "", "MD5")
| project-away
DstFQDNparts, AdditionalExtensions, DeviceCustom*