From 71748b470ab0ce05db8fd140488086ab9b6ad126 Mon Sep 17 00:00:00 2001 From: chicduong <59736871+chicduong@users.noreply.github.com> Date: Tue, 1 Dec 2020 12:31:28 -0800 Subject: [PATCH 1/2] Aruba ClearPass parser --- Parsers/ArubaClearPass/ArubaClearPass.txt | 81 ++++ Sample Data/CEF/ArubaClearPass.json | 563 ++++++++++++++++++++++ 2 files changed, 644 insertions(+) create mode 100644 Parsers/ArubaClearPass/ArubaClearPass.txt create mode 100644 Sample Data/CEF/ArubaClearPass.json diff --git a/Parsers/ArubaClearPass/ArubaClearPass.txt b/Parsers/ArubaClearPass/ArubaClearPass.txt new file mode 100644 index 0000000000..df0c0bf1f1 --- /dev/null +++ b/Parsers/ArubaClearPass/ArubaClearPass.txt @@ -0,0 +1,81 @@ +// Title: Aruba ClearPass Parser +// Author: Microsoft +// Version: 1.0 +// Last Updated: 12/01/2020 +// Comment: Initial Release +// +// DESCRIPTION: +// This parser takes raw Aruba ClearPass logs from a Syslog (CEF) stream and parses the logs into a normalized schema. +// +// USAGE: +// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. +// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name. +// It is recommended to name the Function Alias, as Aruba ClearPass +// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries. +// +// REFERENCES: +// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions +// +// LOG SAMPLES: +// This parser assumes the raw log are formatted as follows: +// +// Dec 03 2017 16:31:28.861 IST 10.17.4.208 CEF:0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Insight Logs|0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:28:20+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600 +// +// Nov 19 2017 18:22:40.700 IST 10.17.4.221 CEF:0|Aruba Networks|ClearPass|6.5.0.68754|13-1-0|Audit Records|5|cat=Role timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz rt=Nov 19, 2014 18:21:13 IST src=Test Role 10 act=ADD usrName=admin +// +// Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0Aruba Networks|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IP-Address=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=3155 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R00001316-01-547c3b5a RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=578470212 RADIUS.Acct-Username=A_user2 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=786315664 +// +// +let LogHeader = CommonSecurityLog +| where DeviceVendor == "Aruba Networks" and DeviceProduct == "ClearPass"; +let InsightLogs = LogHeader +| where Activity == "Insight Logs" +| extend UserName = extract(@'Auth.Username=([^;]+)\;',1, AdditionalExtensions), + AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\;',1, AdditionalExtensions), + NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\;',1, AdditionalExtensions), + RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\;',1, AdditionalExtensions), + LoginStatus = extract(@'Auth.Login-Status=([^;]+)\;',1, AdditionalExtensions), + Source = extract(@'Auth.Source=([^;]+)\;',1, AdditionalExtensions), + EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\;',1, AdditionalExtensions), + NasPort = extract(@'Auth.NAS-Port=([^;]+)\;',1, AdditionalExtensions), + TimestampFormat = extract(@'TimestampFormat=([^;]+)\;',1, AdditionalExtensions), + Ssid = extract(@'Auth.SSID=([^;]+)\;',1, AdditionalExtensions), + NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\;',1, AdditionalExtensions), + ErrorCode = extract(@'Auth.Error-Code=([^;]+)\;',1, AdditionalExtensions), + Roles = extract(@'Auth.Roles=([^;]+)\;',1, AdditionalExtensions), + Service = extract(@'Auth.Service=([^;]+)\;',1, AdditionalExtensions), + SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\;',1, AdditionalExtensions), + Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\;',1, AdditionalExtensions), + NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\;',1, AdditionalExtensions), + CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\;',1, AdditionalExtensions), + NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\;',1, AdditionalExtensions); +let AuditRecords = LogHeader +| where Activity == "Audit Records" +| extend TimestampFormat = extract(@'timeFormat=([^;]+)\;',1, AdditionalExtensions), + UserName = extract(@'usrName=([^;]+)(\;|$)',1, AdditionalExtensions), + Category = extract(@'cat=([^;]+)\;',1, AdditionalExtensions); +let SessionLogs = LogHeader +| where Activity == "Session Logs" +| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\;',1, AdditionalExtensions), + CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\;',1, AdditionalExtensions), + InpuOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\;',1, AdditionalExtensions), + TimestampFormat = extract(@'TimestampFormat=([^;]+)\;',1, AdditionalExtensions), + SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\;',1, AdditionalExtensions), + FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\;',1, AdditionalExtensions), + Source = extract(@'RADIUS.Auth-Source=([^;]+)\;',1, AdditionalExtensions), + Method = extract(@'RADIUS.Auth-Method=([^;]+)\;',1, AdditionalExtensions), + SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\;',1, AdditionalExtensions), + ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\;',1, AdditionalExtensions), + NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\;',1, AdditionalExtensions), + NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\;',1, AdditionalExtensions), + OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\;',1, AdditionalExtensions), + UserName = extract(@'RADIUS.Acct-Username=([^;]+)\;',1, AdditionalExtensions), + NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\;',1, AdditionalExtensions); +let SystemLogs = LogHeader +| where Activity == "System Logs" +| extend Description = extract(@'description=([^;]+)\;',1, AdditionalExtensions), + Action = extract(@'daction=([^;]+)\;',1, AdditionalExtensions), + InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\;',1, AdditionalExtensions), + TimeFormat = extract(@'devTimeFormat=([^;]+)\;',1, AdditionalExtensions); +union SessionLogs, InsightLogs, AuditRecords, SystemLogs + diff --git a/Sample Data/CEF/ArubaClearPass.json b/Sample Data/CEF/ArubaClearPass.json new file mode 100644 index 0000000000..3e1161867c --- /dev/null +++ b/Sample Data/CEF/ArubaClearPass.json @@ -0,0 +1,563 @@ +[ + { + "TenantId": "a131321e-a763-4026-8439-5326aadafd82", + "SourceSystem": "OpsManager", + "TimeGenerated [UTC]": "11/27/2020, 10:09:35.587 PM", + "ReceiptTime": "Nov 19, 2014 18:21:13 IST", + "DeviceVendor": "Aruba Networks", + "DeviceProduct": "ClearPass", + "DeviceEventClassID": "13-1-0", + "LogSeverity": "5", + "OriginalLogSeverity": "", + "DeviceAction": "ADD", + "SimplifiedDeviceAction": "ADD", + "Computer": "", + "CommunicationDirection": "", + "DeviceFacility": "", + "DestinationPort": "", + "DestinationIP": "", + "DeviceAddress": "", + "DeviceName": "", + "Message": "", + "Protocol": "", + "SourcePort": "", + "SourceIP": "Test Role 10", + "RemoteIP": "", + "RemotePort": "", + "MaliciousIP": "", + "ThreatSeverity": "", + "IndicatorThreatType": "", + "ThreatDescription": "", + "ThreatConfidence": "", + "ReportReferenceLink": "", + "MaliciousIPLongitude": "", + "MaliciousIPLatitude": "", + "MaliciousIPCountry": "", + "DeviceVersion": "6.5.0.68754", + "Activity": "Audit Records", + "ApplicationProtocol": "", + "EventCount": "", + "DestinationDnsDomain": "", + "DestinationServiceName": "", + "DestinationTranslatedAddress": "", + "DestinationTranslatedPort": "", + "DeviceDnsDomain": "", + "DeviceExternalID": "", + "DeviceInboundInterface": "", + "DeviceNtDomain": "", + "DeviceOutboundInterface": "", + "DevicePayloadId": "", + "ProcessName": "", + "DeviceTranslatedAddress": "", + "DestinationHostName": "", + "DestinationMACAddress": "", + "DestinationNTDomain": "", + "DestinationProcessId": "", + "DestinationUserPrivileges": "", + "DestinationProcessName": "", + "DeviceTimeZone": "", + "DestinationUserID": "", + "DestinationUserName": "", + "DeviceMacAddress": "", + "ProcessID": "", + "ExternalID": "", + "FileCreateTime": "", + "FileHash": "", + "FileID": "", + "FileModificationTime": "", + "FilePath": "", + "FilePermission": "", + "FileType": "", + "FileName": "", + "FileSize": "", + "ReceivedBytes": "", + "OldFileCreateTime": "", + "OldFileHash": "", + "OldFileID": "", + "OldFileModificationTime": "", + "OldFileName": "", + "OldFilePath": "", + "OldFilePermission": "", + "OldFileSize": "", + "OldFileType": "", + "SentBytes": "", + "RequestURL": "", + "RequestClientApplication": "", + "RequestContext": "", + "RequestCookies": "", + "RequestMethod": "", + "SourceHostName": "", + "SourceMACAddress": "", + "SourceNTDomain": "", + "SourceDnsDomain": "", + "SourceServiceName": "", + "SourceTranslatedAddress": "", + "SourceTranslatedPort": "", + "SourceProcessId": "", + "SourceUserPrivileges": "", + "SourceProcessName": "", + "SourceUserID": "", + "SourceUserName": "", + "EventType": "", + "DeviceCustomIPv6Address1": "", + "DeviceCustomIPv6Address1Label": "", + "DeviceCustomIPv6Address2": "", + "DeviceCustomIPv6Address2Label": "", + "DeviceCustomIPv6Address3": "", + "DeviceCustomIPv6Address3Label": "", + "DeviceCustomIPv6Address4": "", + "DeviceCustomIPv6Address4Label": "", + "DeviceCustomFloatingPoint1": "", + "DeviceCustomFloatingPoint1Label": "", + "DeviceCustomFloatingPoint2": "", + "DeviceCustomFloatingPoint2Label": "", + "DeviceCustomFloatingPoint3": "", + "DeviceCustomFloatingPoint3Label": "", + "DeviceCustomFloatingPoint4": "", + "DeviceCustomFloatingPoint4Label": "", + "DeviceCustomNumber1": "", + "DeviceCustomNumber1Label": "", + "DeviceCustomNumber2": "", + "DeviceCustomNumber2Label": "", + "DeviceCustomNumber3": "", + "DeviceCustomNumber3Label": "", + "DeviceCustomString1": "", + "DeviceCustomString1Label": "", + "DeviceCustomString2": "", + "DeviceCustomString2Label": "", + "DeviceCustomString3": "", + "DeviceCustomString3Label": "", + "DeviceCustomString4": "", + "DeviceCustomString4Label": "", + "DeviceCustomString5": "", + "DeviceCustomString5Label": "", + "DeviceCustomString6": "", + "DeviceCustomString6Label": "", + "DeviceCustomDate1": "", + "DeviceCustomDate1Label": "", + "DeviceCustomDate2": "", + "DeviceCustomDate2Label": "", + "FlexDate1": "", + "FlexDate1Label": "", + "FlexNumber1": "", + "FlexNumber1Label": "", + "FlexNumber2": "", + "FlexNumber2Label": "", + "FlexString1": "", + "FlexString1Label": "", + "FlexString2": "", + "FlexString2Label": "", + "AdditionalExtensions": "cat=Role;timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz;usrName=admin", + "StartTime [UTC]": "", + "EndTime [UTC]": "", + "Type": "CommonSecurityLog", + "_ResourceId": "/subscriptions/7fd67ca4-e443-470d-9bc0-7ce7fa3124fb/resourcegroups/m90-logingestion-rg/providers/microsoft.compute/virtualmachines/m90-siem-vm02", + "Timestamp": "", + "CallingStationId": "", + "InpuOctets": "", + "TimestampFormat": "MMM dd yyyy HH:mm:ss.SSS zzz", + "SessionTime": "", + "FramedIpAddr": "", + "Source": "", + "Method": "", + "SessionId": "", + "ServiceName": "", + "NasPortNumber": "", + "NasPortType": "", + "OutputOctets": "", + "UserName": "", + "NasIpAddr": "", + "AuthorizationSources": "", + "NetworkProtocol": "", + "RequestTimestamp": "", + "LoginStatus": "", + "EnforcementProfiles": "", + "NasPort": "", + "Ssid": "", + "ErrorCode": "", + "Roles": "", + "Service": "", + "SrcMacAddr": "", + "Unhealthy": "", + "CalledStationId": "", + "NasIdentifier": "", + "Category": "Role", + "Description": "", + "Action": "", + "TimeFormat": "" + }, + { + "TenantId": "a131321e-a763-4026-8439-5326aadafd82", + "SourceSystem": "OpsManager", + "TimeGenerated [UTC]": "11/27/2020, 11:13:29.627 PM", + "ReceiptTime": "", + "DeviceVendor": "Aruba Networks", + "DeviceProduct": "ClearPass", + "DeviceEventClassID": "1604-1-0", + "LogSeverity": "0", + "OriginalLogSeverity": "", + "DeviceAction": "", + "SimplifiedDeviceAction": "", + "Computer": "", + "CommunicationDirection": "", + "DeviceFacility": "", + "DestinationPort": "", + "DestinationIP": "", + "DeviceAddress": "", + "DeviceName": "", + "Message": "", + "Protocol": "", + "SourcePort": "", + "SourceIP": "", + "RemoteIP": "", + "RemotePort": "", + "MaliciousIP": "", + "ThreatSeverity": "", + "IndicatorThreatType": "", + "ThreatDescription": "", + "ThreatConfidence": "", + "ReportReferenceLink": "", + "MaliciousIPLongitude": "", + "MaliciousIPLatitude": "", + "MaliciousIPCountry": "", + "DeviceVersion": "6.5.0.68878", + "Activity": "Session Logs", + "ApplicationProtocol": "", + "EventCount": "", + "DestinationDnsDomain": "", + "DestinationServiceName": "", + "DestinationTranslatedAddress": "", + "DestinationTranslatedPort": "", + "DeviceDnsDomain": "", + "DeviceExternalID": "", + "DeviceInboundInterface": "", + "DeviceNtDomain": "", + "DeviceOutboundInterface": "", + "DevicePayloadId": "", + "ProcessName": "", + "DeviceTranslatedAddress": "", + "DestinationHostName": "", + "DestinationMACAddress": "", + "DestinationNTDomain": "", + "DestinationProcessId": "", + "DestinationUserPrivileges": "", + "DestinationProcessName": "", + "DeviceTimeZone": "", + "DestinationUserID": "", + "DestinationUserName": "", + "DeviceMacAddress": "", + "ProcessID": "", + "ExternalID": "", + "FileCreateTime": "", + "FileHash": "", + "FileID": "", + "FileModificationTime": "", + "FilePath": "", + "FilePermission": "", + "FileType": "", + "FileName": "", + "FileSize": "", + "ReceivedBytes": "", + "OldFileCreateTime": "", + "OldFileHash": "", + "OldFileID": "", + "OldFileModificationTime": "", + "OldFileName": "", + "OldFilePath": "", + "OldFilePermission": "", + "OldFileSize": "", + "OldFileType": "", + "SentBytes": "", + "RequestURL": "", + "RequestClientApplication": "", + "RequestContext": "", + "RequestCookies": "", + "RequestMethod": "", + "SourceHostName": "", + "SourceMACAddress": "", + "SourceNTDomain": "", + "SourceDnsDomain": "", + "SourceServiceName": "", + "SourceTranslatedAddress": "", + "SourceTranslatedPort": "", + "SourceProcessId": "", + "SourceUserPrivileges": "", + "SourceProcessName": "", + "SourceUserID": "", + "SourceUserName": "", + "EventType": "", + "DeviceCustomIPv6Address1": "", + "DeviceCustomIPv6Address1Label": "", + "DeviceCustomIPv6Address2": "", + "DeviceCustomIPv6Address2Label": "", + "DeviceCustomIPv6Address3": "", + "DeviceCustomIPv6Address3Label": "", + "DeviceCustomIPv6Address4": "", + "DeviceCustomIPv6Address4Label": "", + "DeviceCustomFloatingPoint1": "", + "DeviceCustomFloatingPoint1Label": "", + "DeviceCustomFloatingPoint2": "", + "DeviceCustomFloatingPoint2Label": "", + "DeviceCustomFloatingPoint3": "", + "DeviceCustomFloatingPoint3Label": "", + "DeviceCustomFloatingPoint4": "", + "DeviceCustomFloatingPoint4Label": "", + "DeviceCustomNumber1": "", + "DeviceCustomNumber1Label": "", + "DeviceCustomNumber2": "", + "DeviceCustomNumber2Label": "", + "DeviceCustomNumber3": "", + "DeviceCustomNumber3Label": "", + "DeviceCustomString1": "", + "DeviceCustomString1Label": "", + "DeviceCustomString2": "", + "DeviceCustomString2Label": "", + "DeviceCustomString3": "", + "DeviceCustomString3Label": "", + "DeviceCustomString4": "", + "DeviceCustomString4Label": "", + "DeviceCustomString5": "", + "DeviceCustomString5Label": "", + "DeviceCustomString6": "", + "DeviceCustomString6Label": "", + "DeviceCustomDate1": "", + "DeviceCustomDate1Label": "", + "DeviceCustomDate2": "", + "DeviceCustomDate2Label": "", + "FlexDate1": "", + "FlexDate1Label": "", + "FlexNumber1": "", + "FlexNumber1Label": "", + "FlexNumber2": "", + "FlexNumber2Label": "", + "FlexString1": "", + "FlexString1Label": "", + "FlexString2": "", + "FlexString2Label": "", + "AdditionalExtensions": "RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95;RADIUS.Acct-Framed-IP-Address=192.167.230.129;RADIUS.Auth-Source=AD:10.17.4.130;RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30;RADIUS.Auth-Method=PAP;RADIUS.Acct-Service-Name=Authenticate-Only;RADIUS.Acct-Session-Time=3155;TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz;RADIUS.Acct-NAS-Port=0;RADIUS.Acct-Session-Id=R00001316-01-547c3b5a;RADIUS.Acct-NAS-Port-Type=Wireless-802.11;RADIUS.Acct-Output-Octets=578470212;RADIUS.Acct-Username=A_user2;RADIUS.Acct-NAS-IP-Address=10.17.6.124;RADIUS.Acct-Input-Octets=786315664", + "StartTime [UTC]": "", + "EndTime [UTC]": "", + "Type": "CommonSecurityLog", + "_ResourceId": "/subscriptions/7fd67ca4-e443-470d-9bc0-7ce7fa3124fb/resourcegroups/m90-logingestion-rg/providers/microsoft.compute/virtualmachines/m90-siem-vm02", + "Timestamp": "2014-12-01 15:26:43+05:30", + "CallingStationId": "00:32:b6:2c:28:95", + "InpuOctets": "", + "TimestampFormat": "MMM dd yyyy HH:mm:ss.SSS zzz", + "SessionTime": "3155", + "FramedIpAddr": "192.167.230.129", + "Source": "AD:10.17.4.130", + "Method": "PAP", + "SessionId": "R00001316-01-547c3b5a", + "ServiceName": "Authenticate-Only", + "NasPortNumber": "0", + "NasPortType": "Wireless-802.11", + "OutputOctets": "578470212", + "UserName": "A_user2", + "NasIpAddr": "10.17.6.124", + "AuthorizationSources": "", + "NetworkProtocol": "", + "RequestTimestamp": "", + "LoginStatus": "", + "EnforcementProfiles": "", + "NasPort": "", + "Ssid": "", + "ErrorCode": "", + "Roles": "", + "Service": "", + "SrcMacAddr": "", + "Unhealthy": "", + "CalledStationId": "", + "NasIdentifier": "", + "Category": "", + "Description": "", + "Action": "", + "TimeFormat": "" + }, + { + "TenantId": "a131321e-a763-4026-8439-5326aadafd82", + "SourceSystem": "OpsManager", + "TimeGenerated [UTC]": "11/27/2020, 10:01:06.239 PM", + "ReceiptTime": "", + "DeviceVendor": "Aruba Networks", + "DeviceProduct": "ClearPass", + "DeviceEventClassID": "0-1-0", + "LogSeverity": "0", + "OriginalLogSeverity": "", + "DeviceAction": "", + "SimplifiedDeviceAction": "", + "Computer": "", + "CommunicationDirection": "", + "DeviceFacility": "", + "DestinationPort": "", + "DestinationIP": "", + "DeviceAddress": "", + "DeviceName": "", + "Message": "", + "Protocol": "", + "SourcePort": "", + "SourceIP": "10.17.4.208", + "RemoteIP": "", + "RemotePort": "", + "MaliciousIP": "", + "ThreatSeverity": "", + "IndicatorThreatType": "", + "ThreatDescription": "", + "ThreatConfidence": "", + "ReportReferenceLink": "", + "MaliciousIPLongitude": "", + "MaliciousIPLatitude": "", + "MaliciousIPCountry": "", + "DeviceVersion": "6.5.0.69058", + "Activity": "Insight Logs", + "ApplicationProtocol": "", + "EventCount": "", + "DestinationDnsDomain": "", + "DestinationServiceName": "", + "DestinationTranslatedAddress": "", + "DestinationTranslatedPort": "", + "DeviceDnsDomain": "", + "DeviceExternalID": "", + "DeviceInboundInterface": "", + "DeviceNtDomain": "", + "DeviceOutboundInterface": "", + "DevicePayloadId": "", + "ProcessName": "", + "DeviceTranslatedAddress": "", + "DestinationHostName": "", + "DestinationMACAddress": "", + "DestinationNTDomain": "", + "DestinationProcessId": "", + "DestinationUserPrivileges": "", + "DestinationProcessName": "", + "DeviceTimeZone": "", + "DestinationUserID": "", + "DestinationUserName": "", + "DeviceMacAddress": "", + "ProcessID": "", + "ExternalID": "", + "FileCreateTime": "", + "FileHash": "", + "FileID": "", + "FileModificationTime": "", + "FilePath": "", + "FilePermission": "", + "FileType": "", + "FileName": "", + "FileSize": "", + "ReceivedBytes": "", + "OldFileCreateTime": "", + "OldFileHash": "", + "OldFileID": "", + "OldFileModificationTime": "", + "OldFileName": "", + "OldFilePath": "", + "OldFilePermission": "", + "OldFileSize": "", + "OldFileType": "", + "SentBytes": "", + "RequestURL": "", + "RequestClientApplication": "", + "RequestContext": "", + "RequestCookies": "", + "RequestMethod": "", + "SourceHostName": "", + "SourceMACAddress": "", + "SourceNTDomain": "", + "SourceDnsDomain": "", + "SourceServiceName": "", + "SourceTranslatedAddress": "", + "SourceTranslatedPort": "", + "SourceProcessId": "", + "SourceUserPrivileges": "", + "SourceProcessName": "", + "SourceUserID": "", + "SourceUserName": "", + "EventType": "", + "DeviceCustomIPv6Address1": "", + "DeviceCustomIPv6Address1Label": "", + "DeviceCustomIPv6Address2": "", + "DeviceCustomIPv6Address2Label": "", + "DeviceCustomIPv6Address3": "", + "DeviceCustomIPv6Address3Label": "", + "DeviceCustomIPv6Address4": "", + "DeviceCustomIPv6Address4Label": "", + "DeviceCustomFloatingPoint1": "", + "DeviceCustomFloatingPoint1Label": "", + "DeviceCustomFloatingPoint2": "", + "DeviceCustomFloatingPoint2Label": "", + "DeviceCustomFloatingPoint3": "", + "DeviceCustomFloatingPoint3Label": "", + "DeviceCustomFloatingPoint4": "", + "DeviceCustomFloatingPoint4Label": "", + "DeviceCustomNumber1": "", + "DeviceCustomNumber1Label": "", + "DeviceCustomNumber2": "", + "DeviceCustomNumber2Label": "", + "DeviceCustomNumber3": "", + "DeviceCustomNumber3Label": "", + "DeviceCustomString1": "", + "DeviceCustomString1Label": "", + "DeviceCustomString2": "", + "DeviceCustomString2Label": "", + "DeviceCustomString3": "", + "DeviceCustomString3Label": "", + "DeviceCustomString4": "", + "DeviceCustomString4Label": "", + "DeviceCustomString5": "", + "DeviceCustomString5Label": "", + "DeviceCustomString6": "", + "DeviceCustomString6Label": "", + "DeviceCustomDate1": "", + "DeviceCustomDate1Label": "", + "DeviceCustomDate2": "", + "DeviceCustomDate2Label": "", + "FlexDate1": "", + "FlexDate1Label": "", + "FlexNumber1": "", + "FlexNumber1Label": "", + "FlexNumber2": "", + "FlexNumber2Label": "", + "FlexString1": "", + "FlexString1Label": "", + "FlexString2": "", + "FlexString2Label": "", + "AdditionalExtensions": "Auth.Username=host/Asif-Test-PC2;Auth.Authorization-Sources=null;Auth.Login-Status=216;Auth.Request-Timestamp=2017-12-03 16:28:20+05:30;Auth.Protocol=RADIUS;Auth.Source=null;Auth.Enforcement-Profiles=[Allow Access Profile];Auth.NAS-Port=null;Auth.SSID=cppm-dot1x-test;TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz;Auth.NAS-Port-Type=19;Auth.Error-Code=216;Auth.Roles=null;Auth.Service=Test Wireless;Auth.Host-MAC-Address=6817294b0636;Auth.Unhealthy=null;Auth.NAS-IP-Address=10.17.4.7;Auth.CalledStationId=000B8661CD70;Auth.NAS-Identifier=ClearPassLab3600", + "StartTime [UTC]": "", + "EndTime [UTC]": "", + "Type": "CommonSecurityLog", + "_ResourceId": "/subscriptions/7fd67ca4-e443-470d-9bc0-7ce7fa3124fb/resourcegroups/m90-logingestion-rg/providers/microsoft.compute/virtualmachines/m90-siem-vm02", + "Timestamp": "", + "CallingStationId": "", + "InpuOctets": "", + "TimestampFormat": "MMM dd yyyy HH:mm:ss.SSS zzz", + "SessionTime": "", + "FramedIpAddr": "", + "Source": "null", + "Method": "", + "SessionId": "", + "ServiceName": "", + "NasPortNumber": "", + "NasPortType": "19", + "OutputOctets": "", + "UserName": "host/Asif-Test-PC2", + "NasIpAddr": "10.17.4.7", + "AuthorizationSources": "null", + "NetworkProtocol": "RADIUS", + "RequestTimestamp": "2017-12-03 16:28:20+05:30", + "LoginStatus": "216", + "EnforcementProfiles": "[Allow Access Profile]", + "NasPort": "null", + "Ssid": "cppm-dot1x-test", + "ErrorCode": "216", + "Roles": "null", + "Service": "Test Wireless", + "SrcMacAddr": "6817294b0636", + "Unhealthy": "null", + "CalledStationId": "000B8661CD70", + "NasIdentifier": "", + "Category": "", + "Description": "", + "Action": "", + "TimeFormat": "" + } +] From 737cab2cccb5ad1c09a074dd2f8c8abf552902e9 Mon Sep 17 00:00:00 2001 From: chicduong <59736871+chicduong@users.noreply.github.com> Date: Mon, 7 Dec 2020 19:30:43 -0800 Subject: [PATCH 2/2] revisions --- Parsers/ArubaClearPass/ArubaClearPass.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ArubaClearPass/ArubaClearPass.txt b/Parsers/ArubaClearPass/ArubaClearPass.txt index df0c0bf1f1..974f6db4ea 100644 --- a/Parsers/ArubaClearPass/ArubaClearPass.txt +++ b/Parsers/ArubaClearPass/ArubaClearPass.txt @@ -10,7 +10,7 @@ // USAGE: // 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. // 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name. -// It is recommended to name the Function Alias, as Aruba ClearPass +// It is recommended to name the Function Alias, as ArubaClearPass // 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries. // // REFERENCES: