diff --git a/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json b/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json index 4de23e52e6..be99bac7cf 100644 --- a/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json +++ b/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json @@ -35,7 +35,7 @@ "displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table", "category": "ASIM", "FunctionAlias": "ASimDnsNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n DvcHostname = SrcIpAddr\n};\nparser (disabled)", + "query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n DvcHostname = SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname\n};\nparser (disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimDns/ARM/FullDeploymentDns.json b/Parsers/ASimDns/ARM/FullDeploymentDns.json index be744e947d..5bb944b133 100644 --- a/Parsers/ASimDns/ARM/FullDeploymentDns.json +++ b/Parsers/ASimDns/ARM/FullDeploymentDns.json @@ -18,6 +18,26 @@ }, "variables": {}, "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsGcp", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -38,6 +58,66 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsMicrosoftNXlog", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDnsVectraAI", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsInfobloxNIOS", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -58,6 +138,146 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsCorelightZeek", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsZscalerZIA", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsMicrosoftSysmon", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsMicrosoftOMS", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsAzureFirewall", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsVectraAI", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsEmpty", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -81,11 +301,31 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimDnsCorelightZeek", + "name": "linkedASimDnsNative", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsNative", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -121,11 +361,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimDnsInfobloxNIOS", + "name": "linkedASimDnsCorelightZeek", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -181,51 +421,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimDnsMicrosoftSysmon", + "name": "linkedvimDnsCiscoUmbrella", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimDnsNative", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimDnsVectraAI", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -258,6 +458,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDnsInfobloxNIOS", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDnsMicrosoftSysmon", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -277,246 +517,6 @@ } } } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsAzureFirewall", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsCiscoUmbrella", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsCorelightZeek", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsEmpty", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsGcp", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsInfobloxNIOS", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsMicrosoftNXlog", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsMicrosoftOMS", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsMicrosoftSysmon", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsNative", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsVectraAI", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimDnsZscalerZIA", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } } ], "outputs": {} diff --git a/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json b/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json index 16743c174a..b275e9f373 100644 --- a/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json +++ b/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json @@ -35,7 +35,7 @@ "displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table", "category": "ASIM", "FunctionAlias": "vimDnsNative", - "query": "let parser=\n (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n )\n {\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n SessionId=DnsSessionId\n };\n parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", + "query": "let parser=\n (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n )\n {\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\"\n // -- Aliases here\n | extend\n Dvc = DvcHostname,\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname\n };\n parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" } diff --git a/Parsers/ASimDns/Parsers/ASimDnsNative.yaml b/Parsers/ASimDns/Parsers/ASimDnsNative.yaml index 38e4cca753..f112f2c66b 100644 --- a/Parsers/ASimDns/Parsers/ASimDnsNative.yaml +++ b/Parsers/ASimDns/Parsers/ASimDnsNative.yaml @@ -1,7 +1,7 @@ Parser: Title: DNS activity ASIM parser for Microsoft Sentinel native DNS table - Version: '0.2' - LastUpdated: Jan 3 2022 + Version: '0.3' + LastUpdated: Jun 15 2022 Product: Name: Native Normalization: @@ -36,6 +36,11 @@ ParserQuery: | Domain=DnsQuery, IpAddr=SrcIpAddr, Src=SrcIpAddr, - DvcHostname = SrcIpAddr + DvcHostname = SrcIpAddr, + Duration = DnsNetworkDuration, + Process = SrcProcessName, + SessionId = DnsSessionId, + User = SrcUsername, + Hostname = SrcHostname }; parser (disabled) \ No newline at end of file diff --git a/Parsers/ASimDns/Parsers/vimDnsNative.yaml b/Parsers/ASimDns/Parsers/vimDnsNative.yaml index 6090171550..a328f41a5c 100644 --- a/Parsers/ASimDns/Parsers/vimDnsNative.yaml +++ b/Parsers/ASimDns/Parsers/vimDnsNative.yaml @@ -1,7 +1,7 @@ Parser: Title: DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table - Version: '0.2' - LastUpdated: Jan 3 2022 + Version: '0.3' + LastUpdated: Jun 15 2022 Product: Name: Native Normalization: @@ -77,14 +77,17 @@ ParserQuery: | EventEndTime = TimeGenerated, EventSchema = "Dns", EventSchemaVersion="0.1.3" - // -- Aliases + // -- Aliases here | extend Dvc = DvcHostname, DnsResponseCodeName=EventResultDetails, Domain=DnsQuery, IpAddr=SrcIpAddr, Src=SrcIpAddr, - Duration=DnsNetworkDuration, - SessionId=DnsSessionId + SessionId=DnsSessionId, + Duration = DnsNetworkDuration, + Process = SrcProcessName, + User = SrcUsername, + Hostname = SrcHostname }; parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json index b6059ca477..bbdb9d0704 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser for AWS VPC logs", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionAWSVPC", - "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus != \"NODATA\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n};\nparser (disabled)", + "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n};\nparser (disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json index b95b71cbbc..f5b14cc6c3 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser for M365 Defender for Endpoint", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents | where not(disabled) \n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = SplitUrl[0],\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n };\n let OutboundNetworkEvents = \n RawNetworkEvents (true)\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents (false)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | project-rename\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType,\n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | extend // aliases\n Hostname = UrlHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender(disabled)\n", + "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents | where not(disabled) \n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = SplitUrl[0],\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n };\n let OutboundNetworkEvents = \n RawNetworkEvents (true)\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents (false)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | project-rename\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType,\n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | extend // aliases\n Hostname = tostring(UrlHostname),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender(disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json index ebce094523..90f60b4043 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser for Sysmon for Linux", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionLinuxSysmon", - "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", + "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Ountbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json index 75303cace6..291715ad81 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser for VM connection information collected using the Log Analytics Agent", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionVMConnection", - "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet outbound = (disabled:bool=false) {\n VMConnection\n | where not (disabled)\n | where Direction == \"outbound\"\n | extend\n SrcAppType = \"Process\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine\n | extend hostelements = split(Computer,'.')\n | extend \n SrcHostname = tostring(hostelements[0]),\n SrcDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n | extend\n SrcDomainType = iff(SrcDomain != \"\", \"FQDN\", \"\"),\n SrcFQDN = iff(SrcDomain != \"\", Computer, \"\")\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(DstFQDN,'.')\n | extend \n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away hostelements\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n};\nlet inbound = (disabled:bool=false) {\n VMConnection\n | where not (disabled)\n | where Direction == \"inbound\"\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine\n | extend hostelements = split(Computer,'.')\n | extend \n DstHostname = tostring(hostelements[0]),\n DstDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n | extend\n DstDomainType = iff(DstDomain != \"\", \"FQDN\", \"\"),\n DstFQDN = iff(DstDomain != \"\", Computer, \"\")\n | extend SrcFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend SrcDomainType = iff(SrcFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(SrcFQDN,'.')\n | extend \n SrcHostname = iff(SrcFQDN != \"\", tostring(hostelements[0]), \"\"),\n SrcDomain = iff(SrcFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away hostelements\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n};\nlet parser=(disabled:bool=false){\n union outbound(disabled), inbound(disabled)\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.2\",\n EventType = \"EndpointNetworkSession\",\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n NetworkDirection = Direction,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeMax),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (disabled)", + "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet outbound = (disabled:bool=false) {\n VMConnection\n | where not (disabled)\n | where Direction == \"outbound\"\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine\n | extend hostelements = split(Computer,'.')\n | extend \n SrcHostname = tostring(hostelements[0]),\n SrcDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n | extend\n SrcDomainType = iff(SrcDomain != \"\", \"FQDN\", \"\"),\n SrcFQDN = iff(SrcDomain != \"\", Computer, \"\")\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(DstFQDN,'.')\n | extend \n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away hostelements\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n};\nlet inbound = (disabled:bool=false) {\n VMConnection\n | where not (disabled)\n | where Direction == \"inbound\"\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine\n | extend hostelements = split(Computer,'.')\n | extend \n DstHostname = tostring(hostelements[0]),\n DstDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n | extend\n DstDomainType = iff(DstDomain != \"\", \"FQDN\", \"\"),\n DstFQDN = iff(DstDomain != \"\", Computer, \"\")\n | extend SrcFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend SrcDomainType = iff(SrcFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(SrcFQDN,'.')\n | extend \n SrcHostname = iff(SrcFQDN != \"\", tostring(hostelements[0]), \"\"),\n SrcDomain = iff(SrcFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away hostelements\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n};\nlet parser=(disabled:bool=false){\n union outbound(disabled), inbound(disabled)\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.2\",\n EventType = \"EndpointNetworkSession\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeMax),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json index bbf807bca3..70a93f7509 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser for Zscaler ZIA Firewall", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionZscalerZIA", - "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (disabled)", + "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json index 2b47536928..b46961d3db 100644 --- a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json @@ -18,46 +18,6 @@ }, "variables": {}, "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionEmpty", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionAzureFirewall", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -81,51 +41,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionVMConnection", + "name": "linkedvimNetworkSessionEmpty", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionPaloAltoCEF", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionAzureNSG", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -161,11 +81,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedimNetworkSession", + "name": "linkedASimNetworkSessionAzureFirewall", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -181,11 +101,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionMicrosoft365Defender", + "name": "linkedvimNetworkSessionMicrosoft365Defender", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -201,11 +121,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionAWSVPC", + "name": "linkedvimNetworkSessionVMConnection", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -221,91 +141,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionVMConnection", + "name": "linkedvimNetworkSessionAzureNSG", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionCiscoMeraki", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionAWSVPC", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionzScalerZIA", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -361,31 +201,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionAzureNSG", + "name": "linkedvimNetworkSessionCiscoMeraki", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -421,11 +241,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionMicrosoftLinuxSysmon", + "name": "linkedASimNetworkSessionMicrosoftLinuxSysmon", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -441,11 +261,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSession", + "name": "linkedASimNetworkSessionPaloAltoCEF", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -461,11 +281,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionCiscoMeraki", + "name": "linkedimNetworkSession", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -481,11 +301,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionVectraAI", + "name": "linkedASimNetworkSessionVMConnection", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -501,11 +321,91 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimNetworkSessionMicrosoft365Defender", + "name": "linkedASimNetworkSessionMicrosoft365Defender", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionAWSVPC", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionzScalerZIA", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionAWSVPC", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -541,11 +441,111 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimNetworkSessionMicrosoftLinuxSysmon", + "name": "linkedASimNetworkSession", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionAzureNSG", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionVectraAI", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionMicrosoftLinuxSysmon", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json", "contentVersion": "1.0.0.0" }, "parameters": { diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json index 3396df0e50..6c4d568b1f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser for AWS VPC logs", "category": "ASIM", "FunctionAlias": "vimNetworkSessionAWSVPC", - "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n ];\n let ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n AWSVPCFlow \n | where(isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n | where LogStatus != \"NODATA\"\n // -- Pre-filtering:\n | where\n (isnull(dstportnumber) or (DstPort == dstportnumber))\n and (array_length(hostname_has_any) == 0)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\")\n | where (eventresult == \"*\" or eventresult == EventResult) \n | lookup ActionLookup on Action\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n // -- End pre-filtering\n | extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n | lookup ProtocolLookup on Protocol\n | lookup DirectionLookup on FlowDirection\n | project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n };\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n ];\n let ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n AWSVPCFlow \n | where(isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n | where LogStatus == \"OK\"\n // -- Pre-filtering:\n | where\n (isnull(dstportnumber) or (DstPort == dstportnumber))\n and (array_length(hostname_has_any) == 0)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\")\n | where (eventresult == \"*\" or eventresult == EventResult) \n | lookup ActionLookup on Action\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n // -- End pre-filtering\n | extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n | lookup ProtocolLookup on Protocol\n | lookup DirectionLookup on FlowDirection\n | project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n };\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json index 2d8f7188d3..a5e6c45287 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser for M365 Defender for Endpoint", "category": "ASIM", "FunctionAlias": "vimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n // *************** Prefilterring *****************************************************************\n |where (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort)\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n )\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any))\n or\n (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))\n ) \n , temp_isDstMatch=(\n (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any))\n or\n (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))\n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n};\nlet OutboundNetworkEvents = \n RawNetworkEvents (true)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** /Postfilterring *****************************************************************\n | extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any)\n , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any)\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_isMatchDstHostname and temp_isMatchSrcHostname, \"Both\",\n temp_isMatchDstHostname, \"DstHostname\",\n temp_isMatchSrcHostname, \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcFQDN,\n SrcDomainType = DvcDomainType\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents (false)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** /Postfilterring *****************************************************************\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain,\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| extend // aliases\n Hostname = UrlHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n // *************** Prefilterring *****************************************************************\n |where (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort)\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n )\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any))\n or\n (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))\n ) \n , temp_isDstMatch=(\n (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any))\n or\n (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))\n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n};\nlet OutboundNetworkEvents = \n RawNetworkEvents (true)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** /Postfilterring *****************************************************************\n | extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any)\n , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any)\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_isMatchDstHostname and temp_isMatchSrcHostname, \"Both\",\n temp_isMatchDstHostname, \"DstHostname\",\n temp_isMatchSrcHostname, \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserDomain = InitiatingProcessAccountDomain\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = \"SID\",\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcFQDN,\n SrcDomainType = DvcDomainType\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents (false)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** /Postfilterring *****************************************************************\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n DstUserDomain = InitiatingProcessAccountDomain,\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = DstProcessName,\n ProcessId = DstProcessId,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| extend // aliases\n Hostname = tostring(UrlHostname),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json index 146e781b0a..46eb4027e3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser for Sysmon for Linux", "category": "ASIM", "FunctionAlias": "vimNetworkSessionLinuxSysmon", - "query": "let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet DirectionNetworkEvents =\n Syslog \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n // *************** Prefilterring *****************************************************************\n | where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(SyslogMessage,ip_any)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n| extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n)\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcHostMatch, \"SrcHostname\"\n , temp_isDstHostMatch, \"DstHostname\"\n , \"No match\"\n)\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ;\n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork ", + "query": "let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet DirectionNetworkEvents =\n Syslog \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | where SyslogMessage has_all ('3')\n | project-away ProcessName, ProcessID\n // *************** Prefilterring *****************************************************************\n | where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(SyslogMessage,ip_any)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n| extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n)\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcHostMatch, \"SrcHostname\"\n , temp_isDstHostMatch, \"DstHostname\"\n , \"No match\"\n)\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n;\nlet SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Ountbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nSysmonForLinuxNetwork ", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json index 5d4789348e..5a5539c38f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser for VM connection information collected using the Log Analytics Agent", "category": "ASIM", "FunctionAlias": "vimNetworkSessionVMConnection", - "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let outbound = \n VMConnection\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not (disabled)\n | where array_length(hostname_has_any)==0 \n or (Computer has_any (hostname_has_any)) or ( RemoteDnsCanonicalNames has_any (hostname_has_any))\n | where Direction == \"outbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend hostelements = split(Computer,'.')\n | extend \n SrcHostname = tostring(hostelements[0]),\n SrcDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n // -- End pre-filtering\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(DstFQDN,'.')\n | extend \n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away temp_*\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcAppType = \"Process\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcHostname = Computer,\n SrcDvcId = Machine\n | extend\n SrcDomainType = iff(SrcDomain != \"\", \"FQDN\", \"\"),\n SrcFQDN = iff(SrcDomain != \"\", Computer, \"\")\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(DstFQDN,'.')\n | extend \n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away hostelements\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n ;\n let inbound =\n VMConnection\n | where (starttime == datetime(null) or TimeGenerated >= starttime)\n and (endtime == datetime(null) or TimeGenerated <= endtime)\n | where not (disabled)\n | where Direction == \"inbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (dstportnumber==int(null) or DestinationPort == dstportnumber)\n and (array_length(hostname_has_any)==0 \n or Computer has_any (hostname_has_any) or RemoteDnsCanonicalNames has_any (hostname_has_any)\n )\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n // -- End pre-filtering\n | extend hostelements = split(Computer,'.')\n | extend \n DstHostname = tostring(hostelements[0]),\n DstDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n | extend SrcFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend \n SrcHostname = iff(SrcFQDN != \"\", tostring(hostelements[0]), \"\"),\n SrcDomain = iff(SrcFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine\n | extend\n DstDomainType = iff(DstDomain != \"\", \"FQDN\", \"\"),\n DstFQDN = iff(DstDomain != \"\", Computer, \"\")\n | extend SrcDomainType = iff(SrcFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(SrcFQDN,'.')\n | project-away hostelements\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n ;\n union outbound, inbound\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.3\",\n EventType = \"EndpointNetworkSession\",\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n NetworkDirection = Direction,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeMax),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let outbound = \n VMConnection\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not (disabled)\n | where array_length(hostname_has_any)==0 \n or (Computer has_any (hostname_has_any)) or ( RemoteDnsCanonicalNames has_any (hostname_has_any))\n | where Direction == \"outbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend hostelements = split(Computer,'.')\n | extend \n SrcHostname = tostring(hostelements[0]),\n SrcDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n // -- End pre-filtering\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(DstFQDN,'.')\n | extend \n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away temp_*\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcHostname = Computer,\n SrcDvcId = Machine\n | extend\n SrcDomainType = iff(SrcDomain != \"\", \"FQDN\", \"\"),\n SrcFQDN = iff(SrcDomain != \"\", Computer, \"\")\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(DstFQDN,'.')\n | extend \n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | project-away hostelements\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n ;\n let inbound =\n VMConnection\n | where (starttime == datetime(null) or TimeGenerated >= starttime)\n and (endtime == datetime(null) or TimeGenerated <= endtime)\n | where not (disabled)\n | where Direction == \"inbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (dstportnumber==int(null) or DestinationPort == dstportnumber)\n and (array_length(hostname_has_any)==0 \n or Computer has_any (hostname_has_any) or RemoteDnsCanonicalNames has_any (hostname_has_any)\n )\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n // -- End pre-filtering\n | extend hostelements = split(Computer,'.')\n | extend \n DstHostname = tostring(hostelements[0]),\n DstDomain = strcat_array(array_slice(hostelements,1,-1), '.')\n | extend SrcFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | extend \n SrcHostname = iff(SrcFQDN != \"\", tostring(hostelements[0]), \"\"),\n SrcDomain = iff(SrcFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine\n | extend\n DstDomainType = iff(DstDomain != \"\", \"FQDN\", \"\"),\n DstFQDN = iff(DstDomain != \"\", Computer, \"\")\n | extend SrcDomainType = iff(SrcFQDN != \"\", \"FQDN\", \"\")\n | extend hostelements = split(SrcFQDN,'.')\n | project-away hostelements\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n ;\n union outbound, inbound\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.3\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeMax),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json index 00abaeba22..5aa78afff5 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall", "category": "ASIM", "FunctionAlias": "vimNetworkSessionZscalerZIA", - "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAWSVPC.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAWSVPC.yaml index 9a9b30d245..2ecaf6c8ee 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAWSVPC.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAWSVPC.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM parser for AWS VPC logs - Version: '0.1' - LastUpdated: Feb 07, 2021 + Version: '0.2' + LastUpdated: Jun 16, 2021 Product: Name: AWS VPC Normalization: @@ -183,7 +183,7 @@ ParserQuery: | ]; let parser = (disabled:bool=false){ AWSVPCFlow | where not(disabled) - | where LogStatus != "NODATA" + | where LogStatus == "OK" | extend EventVendor="AWS", EventProduct="VPC", diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoft365Defender.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoft365Defender.yaml index 08caa25dfe..9d336d4be4 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoft365Defender.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoft365Defender.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM parser for M365 Defender for Endpoint - Version: '0.2' - LastUpdated: Jan 17, 2022 + Version: '0.3' + LastUpdated: Jun 15, 2022 Product: Name: M365 Defender for Endpoint Normalization: @@ -181,7 +181,7 @@ ParserQuery: | ; union InboundNetworkEvents, OutboundNetworkEvents | extend // aliases - Hostname = UrlHostname, + Hostname = tostring(UrlHostname), IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml index af7839454b..28176a54b4 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM parser for Sysmon for Linux - Version: '0.2' - LastUpdated: Jan 17, 2022 + Version: '0.3' + LastUpdated: Jun 16, 2022 Product: Name: Sysmon for Linux Normalization: @@ -70,43 +70,44 @@ ParserQuery: | SrcAppType = 'Process' | project-away SyslogMessage ; - let InboundNetworkEvents = - DirectionNetworkEvents - | where not(outbound) - | invoke parser () - | extend - DstUsernameType = 'Simple', - DstUsername = User, - DstProcessId = ProcessId, - DstProcessGuid = ProcessGuid, - DstProcessName = Process, - DstAppName = Process, - DstAppType = 'Process' - | project-away SyslogMessage - ; - let SysmonForLinuxNetwork= - union OutboundNetworkEvents, InboundNetworkEvents - | extend - EventType = 'NetworkSession', - EventStartTime = EventEndTime, - EventCount = int(1), - EventVendor = 'Microsoft', - EventSchemaVersion = '0.2.0', - EventSchema = 'NetworkSession', - EventProduct = 'Sysmon for Linux', - EventResult = 'Success', - EventSeverity = 'Informational', - DvcOs = 'Linux', - Protocol = toupper(Protocol), - EventOriginalType = '3' // Set with a constant value to avoid parsing - | project-rename - DvcIpAddr = HostIP, - DvcHostname = SysmonComputer - | extend // aliases - Dvc = DvcHostname, - Hostname = DstHostname, - IpAddr = SrcIpAddr, - Src = SrcIpAddr, - Dst = DstIpAddr - ; - SysmonForLinuxNetwork \ No newline at end of file + let InboundNetworkEvents = + DirectionNetworkEvents + | where not(outbound) + | invoke parser () + | extend + DstUsernameType = 'Simple', + DstUsername = User, + DstProcessId = ProcessId, + DstProcessGuid = ProcessGuid, + DstProcessName = Process, + DstAppName = Process, + DstAppType = 'Process' + | project-away SyslogMessage + ; + let SysmonForLinuxNetwork= + union OutboundNetworkEvents, InboundNetworkEvents + | extend + EventType = 'NetworkSession', + EventStartTime = EventEndTime, + EventCount = int(1), + EventVendor = 'Microsoft', + EventSchemaVersion = '0.2.0', + EventSchema = 'NetworkSession', + EventProduct = 'Sysmon for Linux', + EventResult = 'Success', + EventSeverity = 'Informational', + DvcOs = 'Linux', + Protocol = toupper(Protocol), + NetworkDirection = iff(outbound, "Ountbound", "Inbound"), + EventOriginalType = '3' // Set with a constant value to avoid parsing + | project-rename + DvcIpAddr = HostIP, + DvcHostname = SysmonComputer + | extend // aliases + Dvc = DvcHostname, + Hostname = DstHostname, + IpAddr = SrcIpAddr, + Src = SrcIpAddr, + Dst = DstIpAddr + ; + SysmonForLinuxNetwork \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMConnection.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMConnection.yaml index caad641715..01d81aa6b2 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMConnection.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMConnection.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM parser for VM connection information collected using the Log Analytics Agent - Version: '0.1' - LastUpdated: Feb 6, 2022 + Version: '0.2' + LastUpdated: Jun 15, 2022 Product: Name: VMConnection Normalization: @@ -38,6 +38,7 @@ ParserQuery: | | where Direction == "outbound" | extend SrcAppType = "Process", + SrcDvcIdType = "VMConnectionId", SrcHostnameType = "Simple", DstGeoCountry = RemoteCountry, DstGeoLongitude = RemoteLongitude, @@ -119,6 +120,7 @@ ParserQuery: | EventSchema = "NetworkSession", EventSchemaVersion = "0.2.2", EventType = "EndpointNetworkSession", + NetworkDirection = iff(Direction=="inbound", "Inbound", "Outbound"), EventEndTime = TimeGenerated | project-rename DstIpAddr = DestinationIp, @@ -126,7 +128,6 @@ ParserQuery: | SrcIpAddr = SourceIp, NetworkSessionId = ConnectionId, ThreatName = IndicatorThreatType, - NetworkDirection = Direction, RemoteGeoCountry = RemoteCountry, RemoteGeoLatitude = RemoteLatitude, RemoteGeoLongitude = RemoteLongitude, diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml index 8ea4eb16c8..d92846cb1a 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM parser for Zscaler ZIA Firewall - Version: '0.2' - LastUpdated: Jan 17, 2022 + Version: '0.3' + LastUpdated: Jun 16, 2022 Product: Name: Zscaler ZIA Firewall Normalization: @@ -72,7 +72,7 @@ ParserQuery: | SrcUserLocation = SourceUserPrivileges, // Not in standard schema ThreatName = DeviceCustomString6, ThreatCategory = DeviceCustomString5, - RuleName = Activity + NetworkRuleName = Activity // -- Calculated fields | lookup ActionLookup on DvcOriginalAction | extend @@ -101,6 +101,7 @@ ParserQuery: | IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr, + Rule = NetworkRuleName, Duration = NetworkDuration | project-away DeviceCustom* diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionAWSVPC.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionAWSVPC.yaml index 55c8d7d52f..47d0196444 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionAWSVPC.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionAWSVPC.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for AWS VPC logs - Version: '0.1' - LastUpdated: Feb 08, 2021 + Version: '0.2' + LastUpdated: Jun 16, 2021 Product: Name: AWS VPC Normalization: @@ -227,7 +227,7 @@ ParserQuery: | | where(isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where not(disabled) - | where LogStatus != "NODATA" + | where LogStatus == "OK" // -- Pre-filtering: | where (isnull(dstportnumber) or (DstPort == dstportnumber)) diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoft365Defender.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoft365Defender.yaml index e7ad5e024c..9fca23c021 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoft365Defender.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoft365Defender.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for M365 Defender for Endpoint - Version: '0.2' - LastUpdated: Jan 17, 2022 + Version: '0.3' + LastUpdated: Jun 15, 2022 Product: Name: M365 Defender for Endpoint Normalization: @@ -259,7 +259,7 @@ ParserQuery: | ; union InboundNetworkEvents, OutboundNetworkEvents | extend // aliases - Hostname = UrlHostname, + Hostname = tostring(UrlHostname), IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftLinuxSysmon.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftLinuxSysmon.yaml index eea8c7c583..5e44be1b8d 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftLinuxSysmon.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftLinuxSysmon.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for Sysmon for Linux - Version: '0.2' - LastUpdated: Jan 17, 2022 + Version: '0.3' + LastUpdated: Jun 16, 2022 Product: Name: Sysmon for Linux Normalization: @@ -139,59 +139,60 @@ ParserQuery: | SrcAppType = 'Process' | project-away SyslogMessage ; - let InboundNetworkEvents = - DirectionNetworkEvents - | where not(outbound) - | invoke parser () - // *************** Postfilterring *************************************************************** - | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) ) - and (isnull(dstportnumber) or DstPortNumber ==dstportnumber) - // *************** Postfilterring *************************************************************** - | extend - temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) - , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any) - | extend ASimMatchingIpAddr = case( - array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case - , (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual - , temp_isSrcMatch, "SrcIpAddr" - , temp_isDstMatch, "DstIpAddr" - , "No match" - ) - | where ASimMatchingIpAddr != "No match" - | project-away temp_* - | extend - DstUsernameType = 'Simple', - DstUsername = User, - DstProcessId = ProcessId, - DstProcessGuid = ProcessGuid, - DstProcessName = Process, - DstAppName = Process, - DstAppType = 'Process' - | project-away SyslogMessage - ; - let SysmonForLinuxNetwork= - union OutboundNetworkEvents, InboundNetworkEvents - | extend - EventType = 'NetworkSession', - EventStartTime = EventEndTime, - EventCount = int(1), - EventVendor = 'Microsoft', - EventSchemaVersion = '0.2.3', - EventSchema = 'NetworkSession', - EventProduct = 'Sysmon for Linux', - EventResult = 'Success', - EventSeverity = 'Informational', - DvcOs = 'Linux', - Protocol = toupper(Protocol), - EventOriginalType = '3' // Set with a constant value to avoid parsing - | project-rename - DvcIpAddr = HostIP, - DvcHostname = SysmonComputer - | extend // aliases - Dvc = DvcHostname, - Hostname = DstHostname, - IpAddr = SrcIpAddr, - Src = SrcIpAddr, - Dst = DstIpAddr - ; - SysmonForLinuxNetwork \ No newline at end of file + let InboundNetworkEvents = + DirectionNetworkEvents + | where not(outbound) + | invoke parser () + // *************** Postfilterring *************************************************************** + | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) ) + and (isnull(dstportnumber) or DstPortNumber ==dstportnumber) + // *************** Postfilterring *************************************************************** + | extend + temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) + , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any) + | extend ASimMatchingIpAddr = case( + array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case + , (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual + , temp_isSrcMatch, "SrcIpAddr" + , temp_isDstMatch, "DstIpAddr" + , "No match" + ) + | where ASimMatchingIpAddr != "No match" + | project-away temp_* + | extend + DstUsernameType = 'Simple', + DstUsername = User, + DstProcessId = ProcessId, + DstProcessGuid = ProcessGuid, + DstProcessName = Process, + DstAppName = Process, + DstAppType = 'Process' + | project-away SyslogMessage + ; + let SysmonForLinuxNetwork= + union OutboundNetworkEvents, InboundNetworkEvents + | extend + EventType = 'NetworkSession', + EventStartTime = EventEndTime, + EventCount = int(1), + EventVendor = 'Microsoft', + EventSchemaVersion = '0.2.3', + EventSchema = 'NetworkSession', + EventProduct = 'Sysmon for Linux', + EventResult = 'Success', + EventSeverity = 'Informational', + DvcOs = 'Linux', + Protocol = toupper(Protocol), + NetworkDirection = iff(outbound, "Ountbound", "Inbound"), + EventOriginalType = '3' // Set with a constant value to avoid parsing + | project-rename + DvcIpAddr = HostIP, + DvcHostname = SysmonComputer + | extend // aliases + Dvc = DvcHostname, + Hostname = DstHostname, + IpAddr = SrcIpAddr, + Src = SrcIpAddr, + Dst = DstIpAddr + ; + SysmonForLinuxNetwork \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMConnection.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMConnection.yaml index deb69128c2..c4963d3aba 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMConnection.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMConnection.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for VM connection information collected using the Log Analytics Agent - Version: '0.1' - LastUpdated: Feb 6, 2022 + Version: '0.2' + LastUpdated: Jun 15, 2022 Product: Name: VMConnection Normalization: @@ -121,6 +121,7 @@ ParserQuery: | | project-away temp_* | extend SrcAppType = "Process", + SrcDvcIdType = "VMConnectionId", SrcHostnameType = "Simple", DstGeoCountry = RemoteCountry, DstGeoLongitude = RemoteLongitude, @@ -231,6 +232,8 @@ ParserQuery: | EventSchema = "NetworkSession", EventSchemaVersion = "0.2.3", EventType = "EndpointNetworkSession", + DvcIdType = "VMConnectionId", + NetworkDirection = iff(Direction=="inbound", "Inbound", "Outbound"), EventEndTime = TimeGenerated | project-rename DstIpAddr = DestinationIp, @@ -238,7 +241,6 @@ ParserQuery: | SrcIpAddr = SourceIp, NetworkSessionId = ConnectionId, ThreatName = IndicatorThreatType, - NetworkDirection = Direction, RemoteGeoCountry = RemoteCountry, RemoteGeoLatitude = RemoteLatitude, RemoteGeoLongitude = RemoteLongitude, diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionzScalerZIA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionzScalerZIA.yaml index 786167243e..5f0b21d0ae 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionzScalerZIA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionzScalerZIA.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for Zscaler ZIA firewall - Version: '0.2' - LastUpdated: Jan 17, 2022 + Version: '0.3' + LastUpdated: Jun 16, 2022 Product: Name: Zscaler ZIA Firewall Normalization: @@ -132,7 +132,7 @@ ParserQuery: | SrcUserLocation = SourceUserPrivileges, // Not in standard schema ThreatName = DeviceCustomString6, ThreatCategory = DeviceCustomString5, - RuleName = Activity + NetworkRuleName = Activity // -- Calculated fields | extend // -- Adjustment to support both old and new CSL fields. @@ -159,6 +159,7 @@ ParserQuery: | IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr, + Rule = NetworkRuleName, Duration = NetworkDuration | project-away DeviceCustom* diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json b/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json index cf3f29855f..a7f8343fbc 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json @@ -35,7 +35,7 @@ "displayName": "Web Session ASIM parser for Squid Proxy", "category": "ASIM", "FunctionAlias": "ASimWebSessionSquidProxy", - "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (disabled)\n", + "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json b/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json index 8cfb07a40d..8030bc73b2 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json @@ -35,7 +35,7 @@ "displayName": "Web Session ASIM parser for Zscaler ZIA", "category": "ASIM", "FunctionAlias": "ASimWebSessionZscalerZIA", - "query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = toint(SentBytes),\n DstBytes = toint(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)", + "query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json b/Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json index daaeeeb84a..6eff845aa8 100644 --- a/Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json +++ b/Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json @@ -18,6 +18,26 @@ }, "variables": {}, "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimWebSessionSquidProxy", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -41,31 +61,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedASimWebSessionSquidProxy", + "name": "linkedvimWebSessionzScalerZIA", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimWebSessionzScalerZIA", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -121,11 +121,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimWebSessionSquidProxy", + "name": "linkedASimWebSessionSquidProxy", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json", "contentVersion": "1.0.0.0" }, "parameters": { @@ -141,11 +141,11 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "linkedvimWebSessionzScalerZIA", + "name": "linkedASimWebSessionzScalerZIA", "properties": { "mode": "Incremental", "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json", + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json", "contentVersion": "1.0.0.0" }, "parameters": { diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json b/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json index a0c0d16aec..68978117c7 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json @@ -35,7 +35,7 @@ "displayName": "Web Session ASIM schema function", "category": "ASIM", "FunctionAlias": "vimWebSessionEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional \n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:int // Optional\n , SrcBytes:int // Optional\n , NetworkBytes:int // Optional\n , DstPackets:int // Optional\n , SrcPackets:int // Optional\n , NetworkPackets:int // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- HTTP session fields\n , Url:string // Mandatory\n , UrlCategory:string // Optional\n , UrlOriginal:string // Optional\n , HttpVersion:string // Optional\n , HttpRequestMethod:string // Optional\n , HttpStatusCode:string // Alias\n , HttpContentType:string // Optional\n , HttpContentFormat:string // Optional\n , HttpReferrer:string // Optional\n , HttpUserAgent:string // Optional\n , UserAgent:string // Alias\n , HttpRequestXff:string // Optional\n , HttpRequestTime:int // Optional\n , HttpResponseTime:int // Optional\n , FileName:string // Optional\n , FileMD5:string // Optional\n , FileSHA1:string // Optional \n , FileSHA256:string // Optional\n , FileSHA512:string // Optional\n , FileSize:int // Optional\n , FileContentType:string // Optional\n , RuleName:string // Optional\n , RuleNumber:int // Optional\n , Rule:string // Alias\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatRiskLevelOriginal:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\n parser", + "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional \n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- HTTP session fields\n , Url:string // Mandatory\n , UrlCategory:string // Optional\n , UrlOriginal:string // Optional\n , HttpVersion:string // Optional\n , HttpRequestMethod:string // Optional\n , HttpStatusCode:string // Alias\n , HttpContentType:string // Optional\n , HttpContentFormat:string // Optional\n , HttpReferrer:string // Optional\n , HttpUserAgent:string // Optional\n , UserAgent:string // Alias\n , HttpRequestXff:string // Optional\n , HttpRequestTime:int // Optional\n , HttpResponseTime:int // Optional\n , FileName:string // Optional\n , FileMD5:string // Optional\n , FileSHA1:string // Optional \n , FileSHA256:string // Optional\n , FileSHA512:string // Optional\n , FileSize:int // Optional\n , FileContentType:string // Optional\n , RuleName:string // Optional\n , RuleNumber:int // Optional\n , Rule:string // Alias\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatRiskLevelOriginal:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\n parser", "version": 1 } } diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json b/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json index 1ff1206539..9e911a190f 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json @@ -35,7 +35,7 @@ "displayName": "Web Session ASIM filtering parser for Squid Proxy", "category": "ASIM", "FunctionAlias": "vimWebSessionSquidProxy", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\n", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\n DstFQDNparts = split (DstFQDN, \".\")\n | extend \n DstHostname = tostring(DstFQDNparts[0]),\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\n DstDomainType = \"FQDN\"\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json b/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json index 6cb8c3c30d..0c566a2f4b 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json @@ -35,7 +35,7 @@ "displayName": "Web Session ASIM filtering parser for Zscaler ZIA", "category": "ASIM", "FunctionAlias": "vimWebSessionZscalerZIA", - "query": "let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nlet remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n| extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SourceIP, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n| where\n (ASimMatchingIpAddr != \"No match\")\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n // -- Post filtering\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n )\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n| where eventresult == \"*\" or eventresult == EventResult\n// -- Event fields\n| lookup DvcActionLookup on DeviceAction\n| extend \n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\n DstBytes = toint(ReceivedBytes),\n SrcBytes = toint(SentBytes),\n DvcHostname = tostring(Computer)\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Src = SrcNatIpAddr,\n Dst = DstFQDN,\n Hash = FileMD5,\n Hostname = DstHostname,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (starttime, endtime\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\n , url_has_any, httpuseragent_has_any\n , eventresultdetails_in, eventresult, disabled)\n", + "query": "let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nlet remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n| extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SourceIP, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n| where\n (ASimMatchingIpAddr != \"No match\")\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n // -- Post filtering\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n )\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n| where eventresult == \"*\" or eventresult == EventResult\n// -- Event fields\n| lookup DvcActionLookup on DeviceAction\n| extend \n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n DvcHostname = tostring(Computer)\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Src = SrcNatIpAddr,\n Dst = DstFQDN,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (starttime, endtime\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\n , url_has_any, httpuseragent_has_any\n , eventresultdetails_in, eventresult, disabled)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml index 5ceb755f61..933236d7e6 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM parser for Squid Proxy - Version: '0.2' - LastUpdated: Jan 13, 2022 + Version: '0.3' + LastUpdated: Jun 15, 2022 Product: Name: Squid Proxy Normalization: @@ -28,13 +28,15 @@ ParserQuery: | let parser=(disabled:bool=false){ SquidProxy_CL | where not(disabled) | extend AccessRawLog = extract_all(@"^(\d+\.\d+)\s+(\d+)\s(\S+)\s([A-Z_]+)\/(\d+)\s(\d+)\s([A-Z]+)\s(\S+)\s(\S+)\s([A-Z_]+)\/(\S+)\s(\S+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0] + | project-rename + Dvc = Computer | extend EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), NetworkDuration = toint(AccessRawLog[1]), SrcIpAddr = tostring(AccessRawLog[2]), EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), ";", PeerStatus = tostring(AccessRawLog[9])), EventResultDetails = tostring(AccessRawLog[4]), - DstBytes = toint(AccessRawLog[5]), + DstBytes = tolong(AccessRawLog[5]), HttpRequestMethod = tostring(AccessRawLog[6]), // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well. Url = tostring(AccessRawLog[7]), @@ -51,7 +53,7 @@ ParserQuery: | EventType = 'HTTPsession' // -- Value normalization | extend - UsernameType = "Unknown", + SrcUsernameType = "Unknown", SrcUsername = iff (SrcUsername == "-", "", SrcUsername), HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType), EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, "Failure", "Success"), diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml index de57faede4..b331bbbd57 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM parser for Zscaler ZIA - Version: '0.2' - LastUpdated: Jan 13, 2022 + Version: '0.3' + LastUpdated: Jun 15, 2022 Product: Name: Zscaler ZIA Normalization: @@ -83,8 +83,8 @@ ParserQuery: | toint(column_ifexists("DeviceCustomNumber1",int(null))) ), DvcHostname = tostring(Computer), - SrcBytes = toint(SentBytes), - DstBytes = toint(ReceivedBytes), + SrcBytes = tolong(SentBytes), + DstBytes = tolong(ReceivedBytes), Url = iff (RequestURL == "", "", strcat (tolower(NetworkApplicationProtocol), "://", url_decode(RequestURL))), UrlCategory = strcat (urlclass, "/", UrlCategory), ThreatCategory = iff(DeviceCustomString4 == "None", "", strcat (DeviceCustomString3, "/", DeviceCustomString4)), @@ -108,6 +108,7 @@ ParserQuery: | // -- Aliases | extend Dvc = DvcHostname, + Hostname = DstHostname, UserAgent = HttpUserAgent, User = SrcUsername, HttpStatusCode = EventResultDetails, diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml index 162129faa4..71eceab9ef 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM schema function - Version: '0.2' - LastUpdated: Jan 13, 2022 + Version: '0.3' + LastUpdated: Jun 15, 2022 Product: Name: Microsoft Normalization: @@ -121,12 +121,12 @@ ParserQuery: | , Duration:int // Alias , NetworkIcmpCode:int // Optional , NetworkIcmpType:string // Optional - , DstBytes:int // Optional - , SrcBytes:int // Optional - , NetworkBytes:int // Optional - , DstPackets:int // Optional - , SrcPackets:int // Optional - , NetworkPackets:int // Optional + , DstBytes:long // Optional + , SrcBytes:long // Optional + , NetworkBytes:long // Optional + , DstPackets:long // Optional + , SrcPackets:long // Optional + , NetworkPackets:long // Optional , NetworkSessionId:string // Optional , SessionId:string // Alias , NetworkConnectionHistory:string // Optional diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml index d0be187974..da74a199c6 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM filtering parser for Squid Proxy - Version: '0.5' - LastUpdated: Jan 13, 2022 + Version: '0.6' + LastUpdated: Jun 15, 2022 Product: Name: Squid Proxy Normalization: @@ -79,11 +79,13 @@ ParserQuery: | | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, "Failure", "Success") | where eventresult == "*" or eventresult == EventResult // -- Map + | project-rename + Dvc = Computer | extend EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), NetworkDuration = toint(AccessRawLog[1]), SrcIpAddr = tostring(AccessRawLog[2]), - DstBytes = toint(AccessRawLog[5]), + DstBytes = tolong(AccessRawLog[5]), HttpRequestMethod = tostring(AccessRawLog[6]), // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well. Url = tostring(AccessRawLog[7]), @@ -114,7 +116,7 @@ ParserQuery: | EventType = 'HTTPsession' // -- Value normalization | extend - UsernameType = "Unknown", + SrcUsernameType = "Unknown", SrcUsername = iff (SrcUsername == "-", "", SrcUsername), HttpContentType = iff (HttpContentType in (":", "-"), "", HttpContentType), DstIpAddrIsHost = DstIpAddr matches regex @"^[^\:]*[a-zA-Z]$" diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml index dadbfc7dd8..e6dfe11d1f 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM filtering parser for Zscaler ZIA - Version: '0.4' - LastUpdated: Jan 13, 2022 + Version: '0.5' + LastUpdated: Jun 15, 2022 Product: Name: Zscaler ZIA Proxy Normalization: @@ -160,8 +160,8 @@ ParserQuery: | DstAppName = iff (DstAppName == "General Browsing", "", DstAppName), DstFQDNparts = split (DstFQDN, "."), DstHostnameNotAddr = DstIpAddr != DstFQDN, - DstBytes = toint(ReceivedBytes), - SrcBytes = toint(SentBytes), + DstBytes = tolong(ReceivedBytes), + SrcBytes = tolong(SentBytes), DvcHostname = tostring(Computer) | extend DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN), @@ -176,6 +176,7 @@ ParserQuery: | // -- Aliases | extend Dvc = DvcHostname, + Hostname = DstHostname, UserAgent = HttpUserAgent, User = SrcUsername, HttpStatusCode = EventResultDetails, @@ -183,7 +184,6 @@ ParserQuery: | Src = SrcNatIpAddr, Dst = DstFQDN, Hash = FileMD5, - Hostname = DstHostname, FileHashType = iff(FileMD5 == "", "", "MD5") | project-away DstFQDNparts, AdditionalExtensions, DeviceCustom*