Merge pull request #1386 from chicduong/acn_cd_arubaclearpassparser01
ACN_CD_ArubaClearPass_Parser01
This commit is contained in:
Коммит
6f58976e95
|
@ -0,0 +1,81 @@
|
||||||
|
// Title: Aruba ClearPass Parser
|
||||||
|
// Author: Microsoft
|
||||||
|
// Version: 1.0
|
||||||
|
// Last Updated: 12/01/2020
|
||||||
|
// Comment: Initial Release
|
||||||
|
//
|
||||||
|
// DESCRIPTION:
|
||||||
|
// This parser takes raw Aruba ClearPass logs from a Syslog (CEF) stream and parses the logs into a normalized schema.
|
||||||
|
//
|
||||||
|
// USAGE:
|
||||||
|
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
|
||||||
|
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
|
||||||
|
// It is recommended to name the Function Alias, as ArubaClearPass
|
||||||
|
// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
|
||||||
|
//
|
||||||
|
// REFERENCES:
|
||||||
|
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
||||||
|
//
|
||||||
|
// LOG SAMPLES:
|
||||||
|
// This parser assumes the raw log are formatted as follows:
|
||||||
|
//
|
||||||
|
// Dec 03 2017 16:31:28.861 IST 10.17.4.208 CEF:0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Insight Logs|0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:28:20+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600
|
||||||
|
//
|
||||||
|
// Nov 19 2017 18:22:40.700 IST 10.17.4.221 CEF:0|Aruba Networks|ClearPass|6.5.0.68754|13-1-0|Audit Records|5|cat=Role timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz rt=Nov 19, 2014 18:21:13 IST src=Test Role 10 act=ADD usrName=admin
|
||||||
|
//
|
||||||
|
// Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0Aruba Networks|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IP-Address=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=3155 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R00001316-01-547c3b5a RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=578470212 RADIUS.Acct-Username=A_user2 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=786315664
|
||||||
|
//
|
||||||
|
//
|
||||||
|
let LogHeader = CommonSecurityLog
|
||||||
|
| where DeviceVendor == "Aruba Networks" and DeviceProduct == "ClearPass";
|
||||||
|
let InsightLogs = LogHeader
|
||||||
|
| where Activity == "Insight Logs"
|
||||||
|
| extend UserName = extract(@'Auth.Username=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
LoginStatus = extract(@'Auth.Login-Status=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Source = extract(@'Auth.Source=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasPort = extract(@'Auth.NAS-Port=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
TimestampFormat = extract(@'TimestampFormat=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Ssid = extract(@'Auth.SSID=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
ErrorCode = extract(@'Auth.Error-Code=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Roles = extract(@'Auth.Roles=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Service = extract(@'Auth.Service=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\;',1, AdditionalExtensions);
|
||||||
|
let AuditRecords = LogHeader
|
||||||
|
| where Activity == "Audit Records"
|
||||||
|
| extend TimestampFormat = extract(@'timeFormat=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
UserName = extract(@'usrName=([^;]+)(\;|$)',1, AdditionalExtensions),
|
||||||
|
Category = extract(@'cat=([^;]+)\;',1, AdditionalExtensions);
|
||||||
|
let SessionLogs = LogHeader
|
||||||
|
| where Activity == "Session Logs"
|
||||||
|
| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
InpuOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
TimestampFormat = extract(@'TimestampFormat=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Source = extract(@'RADIUS.Auth-Source=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Method = extract(@'RADIUS.Auth-Method=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
UserName = extract(@'RADIUS.Acct-Username=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\;',1, AdditionalExtensions);
|
||||||
|
let SystemLogs = LogHeader
|
||||||
|
| where Activity == "System Logs"
|
||||||
|
| extend Description = extract(@'description=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
Action = extract(@'daction=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\;',1, AdditionalExtensions),
|
||||||
|
TimeFormat = extract(@'devTimeFormat=([^;]+)\;',1, AdditionalExtensions);
|
||||||
|
union SessionLogs, InsightLogs, AuditRecords, SystemLogs
|
||||||
|
|
|
@ -0,0 +1,563 @@
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"TenantId": "a131321e-a763-4026-8439-5326aadafd82",
|
||||||
|
"SourceSystem": "OpsManager",
|
||||||
|
"TimeGenerated [UTC]": "11/27/2020, 10:09:35.587 PM",
|
||||||
|
"ReceiptTime": "Nov 19, 2014 18:21:13 IST",
|
||||||
|
"DeviceVendor": "Aruba Networks",
|
||||||
|
"DeviceProduct": "ClearPass",
|
||||||
|
"DeviceEventClassID": "13-1-0",
|
||||||
|
"LogSeverity": "5",
|
||||||
|
"OriginalLogSeverity": "",
|
||||||
|
"DeviceAction": "ADD",
|
||||||
|
"SimplifiedDeviceAction": "ADD",
|
||||||
|
"Computer": "",
|
||||||
|
"CommunicationDirection": "",
|
||||||
|
"DeviceFacility": "",
|
||||||
|
"DestinationPort": "",
|
||||||
|
"DestinationIP": "",
|
||||||
|
"DeviceAddress": "",
|
||||||
|
"DeviceName": "",
|
||||||
|
"Message": "",
|
||||||
|
"Protocol": "",
|
||||||
|
"SourcePort": "",
|
||||||
|
"SourceIP": "Test Role 10",
|
||||||
|
"RemoteIP": "",
|
||||||
|
"RemotePort": "",
|
||||||
|
"MaliciousIP": "",
|
||||||
|
"ThreatSeverity": "",
|
||||||
|
"IndicatorThreatType": "",
|
||||||
|
"ThreatDescription": "",
|
||||||
|
"ThreatConfidence": "",
|
||||||
|
"ReportReferenceLink": "",
|
||||||
|
"MaliciousIPLongitude": "",
|
||||||
|
"MaliciousIPLatitude": "",
|
||||||
|
"MaliciousIPCountry": "",
|
||||||
|
"DeviceVersion": "6.5.0.68754",
|
||||||
|
"Activity": "Audit Records",
|
||||||
|
"ApplicationProtocol": "",
|
||||||
|
"EventCount": "",
|
||||||
|
"DestinationDnsDomain": "",
|
||||||
|
"DestinationServiceName": "",
|
||||||
|
"DestinationTranslatedAddress": "",
|
||||||
|
"DestinationTranslatedPort": "",
|
||||||
|
"DeviceDnsDomain": "",
|
||||||
|
"DeviceExternalID": "",
|
||||||
|
"DeviceInboundInterface": "",
|
||||||
|
"DeviceNtDomain": "",
|
||||||
|
"DeviceOutboundInterface": "",
|
||||||
|
"DevicePayloadId": "",
|
||||||
|
"ProcessName": "",
|
||||||
|
"DeviceTranslatedAddress": "",
|
||||||
|
"DestinationHostName": "",
|
||||||
|
"DestinationMACAddress": "",
|
||||||
|
"DestinationNTDomain": "",
|
||||||
|
"DestinationProcessId": "",
|
||||||
|
"DestinationUserPrivileges": "",
|
||||||
|
"DestinationProcessName": "",
|
||||||
|
"DeviceTimeZone": "",
|
||||||
|
"DestinationUserID": "",
|
||||||
|
"DestinationUserName": "",
|
||||||
|
"DeviceMacAddress": "",
|
||||||
|
"ProcessID": "",
|
||||||
|
"ExternalID": "",
|
||||||
|
"FileCreateTime": "",
|
||||||
|
"FileHash": "",
|
||||||
|
"FileID": "",
|
||||||
|
"FileModificationTime": "",
|
||||||
|
"FilePath": "",
|
||||||
|
"FilePermission": "",
|
||||||
|
"FileType": "",
|
||||||
|
"FileName": "",
|
||||||
|
"FileSize": "",
|
||||||
|
"ReceivedBytes": "",
|
||||||
|
"OldFileCreateTime": "",
|
||||||
|
"OldFileHash": "",
|
||||||
|
"OldFileID": "",
|
||||||
|
"OldFileModificationTime": "",
|
||||||
|
"OldFileName": "",
|
||||||
|
"OldFilePath": "",
|
||||||
|
"OldFilePermission": "",
|
||||||
|
"OldFileSize": "",
|
||||||
|
"OldFileType": "",
|
||||||
|
"SentBytes": "",
|
||||||
|
"RequestURL": "",
|
||||||
|
"RequestClientApplication": "",
|
||||||
|
"RequestContext": "",
|
||||||
|
"RequestCookies": "",
|
||||||
|
"RequestMethod": "",
|
||||||
|
"SourceHostName": "",
|
||||||
|
"SourceMACAddress": "",
|
||||||
|
"SourceNTDomain": "",
|
||||||
|
"SourceDnsDomain": "",
|
||||||
|
"SourceServiceName": "",
|
||||||
|
"SourceTranslatedAddress": "",
|
||||||
|
"SourceTranslatedPort": "",
|
||||||
|
"SourceProcessId": "",
|
||||||
|
"SourceUserPrivileges": "",
|
||||||
|
"SourceProcessName": "",
|
||||||
|
"SourceUserID": "",
|
||||||
|
"SourceUserName": "",
|
||||||
|
"EventType": "",
|
||||||
|
"DeviceCustomIPv6Address1": "",
|
||||||
|
"DeviceCustomIPv6Address1Label": "",
|
||||||
|
"DeviceCustomIPv6Address2": "",
|
||||||
|
"DeviceCustomIPv6Address2Label": "",
|
||||||
|
"DeviceCustomIPv6Address3": "",
|
||||||
|
"DeviceCustomIPv6Address3Label": "",
|
||||||
|
"DeviceCustomIPv6Address4": "",
|
||||||
|
"DeviceCustomIPv6Address4Label": "",
|
||||||
|
"DeviceCustomFloatingPoint1": "",
|
||||||
|
"DeviceCustomFloatingPoint1Label": "",
|
||||||
|
"DeviceCustomFloatingPoint2": "",
|
||||||
|
"DeviceCustomFloatingPoint2Label": "",
|
||||||
|
"DeviceCustomFloatingPoint3": "",
|
||||||
|
"DeviceCustomFloatingPoint3Label": "",
|
||||||
|
"DeviceCustomFloatingPoint4": "",
|
||||||
|
"DeviceCustomFloatingPoint4Label": "",
|
||||||
|
"DeviceCustomNumber1": "",
|
||||||
|
"DeviceCustomNumber1Label": "",
|
||||||
|
"DeviceCustomNumber2": "",
|
||||||
|
"DeviceCustomNumber2Label": "",
|
||||||
|
"DeviceCustomNumber3": "",
|
||||||
|
"DeviceCustomNumber3Label": "",
|
||||||
|
"DeviceCustomString1": "",
|
||||||
|
"DeviceCustomString1Label": "",
|
||||||
|
"DeviceCustomString2": "",
|
||||||
|
"DeviceCustomString2Label": "",
|
||||||
|
"DeviceCustomString3": "",
|
||||||
|
"DeviceCustomString3Label": "",
|
||||||
|
"DeviceCustomString4": "",
|
||||||
|
"DeviceCustomString4Label": "",
|
||||||
|
"DeviceCustomString5": "",
|
||||||
|
"DeviceCustomString5Label": "",
|
||||||
|
"DeviceCustomString6": "",
|
||||||
|
"DeviceCustomString6Label": "",
|
||||||
|
"DeviceCustomDate1": "",
|
||||||
|
"DeviceCustomDate1Label": "",
|
||||||
|
"DeviceCustomDate2": "",
|
||||||
|
"DeviceCustomDate2Label": "",
|
||||||
|
"FlexDate1": "",
|
||||||
|
"FlexDate1Label": "",
|
||||||
|
"FlexNumber1": "",
|
||||||
|
"FlexNumber1Label": "",
|
||||||
|
"FlexNumber2": "",
|
||||||
|
"FlexNumber2Label": "",
|
||||||
|
"FlexString1": "",
|
||||||
|
"FlexString1Label": "",
|
||||||
|
"FlexString2": "",
|
||||||
|
"FlexString2Label": "",
|
||||||
|
"AdditionalExtensions": "cat=Role;timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz;usrName=admin",
|
||||||
|
"StartTime [UTC]": "",
|
||||||
|
"EndTime [UTC]": "",
|
||||||
|
"Type": "CommonSecurityLog",
|
||||||
|
"_ResourceId": "/subscriptions/7fd67ca4-e443-470d-9bc0-7ce7fa3124fb/resourcegroups/m90-logingestion-rg/providers/microsoft.compute/virtualmachines/m90-siem-vm02",
|
||||||
|
"Timestamp": "",
|
||||||
|
"CallingStationId": "",
|
||||||
|
"InpuOctets": "",
|
||||||
|
"TimestampFormat": "MMM dd yyyy HH:mm:ss.SSS zzz",
|
||||||
|
"SessionTime": "",
|
||||||
|
"FramedIpAddr": "",
|
||||||
|
"Source": "",
|
||||||
|
"Method": "",
|
||||||
|
"SessionId": "",
|
||||||
|
"ServiceName": "",
|
||||||
|
"NasPortNumber": "",
|
||||||
|
"NasPortType": "",
|
||||||
|
"OutputOctets": "",
|
||||||
|
"UserName": "",
|
||||||
|
"NasIpAddr": "",
|
||||||
|
"AuthorizationSources": "",
|
||||||
|
"NetworkProtocol": "",
|
||||||
|
"RequestTimestamp": "",
|
||||||
|
"LoginStatus": "",
|
||||||
|
"EnforcementProfiles": "",
|
||||||
|
"NasPort": "",
|
||||||
|
"Ssid": "",
|
||||||
|
"ErrorCode": "",
|
||||||
|
"Roles": "",
|
||||||
|
"Service": "",
|
||||||
|
"SrcMacAddr": "",
|
||||||
|
"Unhealthy": "",
|
||||||
|
"CalledStationId": "",
|
||||||
|
"NasIdentifier": "",
|
||||||
|
"Category": "Role",
|
||||||
|
"Description": "",
|
||||||
|
"Action": "",
|
||||||
|
"TimeFormat": ""
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"TenantId": "a131321e-a763-4026-8439-5326aadafd82",
|
||||||
|
"SourceSystem": "OpsManager",
|
||||||
|
"TimeGenerated [UTC]": "11/27/2020, 11:13:29.627 PM",
|
||||||
|
"ReceiptTime": "",
|
||||||
|
"DeviceVendor": "Aruba Networks",
|
||||||
|
"DeviceProduct": "ClearPass",
|
||||||
|
"DeviceEventClassID": "1604-1-0",
|
||||||
|
"LogSeverity": "0",
|
||||||
|
"OriginalLogSeverity": "",
|
||||||
|
"DeviceAction": "",
|
||||||
|
"SimplifiedDeviceAction": "",
|
||||||
|
"Computer": "",
|
||||||
|
"CommunicationDirection": "",
|
||||||
|
"DeviceFacility": "",
|
||||||
|
"DestinationPort": "",
|
||||||
|
"DestinationIP": "",
|
||||||
|
"DeviceAddress": "",
|
||||||
|
"DeviceName": "",
|
||||||
|
"Message": "",
|
||||||
|
"Protocol": "",
|
||||||
|
"SourcePort": "",
|
||||||
|
"SourceIP": "",
|
||||||
|
"RemoteIP": "",
|
||||||
|
"RemotePort": "",
|
||||||
|
"MaliciousIP": "",
|
||||||
|
"ThreatSeverity": "",
|
||||||
|
"IndicatorThreatType": "",
|
||||||
|
"ThreatDescription": "",
|
||||||
|
"ThreatConfidence": "",
|
||||||
|
"ReportReferenceLink": "",
|
||||||
|
"MaliciousIPLongitude": "",
|
||||||
|
"MaliciousIPLatitude": "",
|
||||||
|
"MaliciousIPCountry": "",
|
||||||
|
"DeviceVersion": "6.5.0.68878",
|
||||||
|
"Activity": "Session Logs",
|
||||||
|
"ApplicationProtocol": "",
|
||||||
|
"EventCount": "",
|
||||||
|
"DestinationDnsDomain": "",
|
||||||
|
"DestinationServiceName": "",
|
||||||
|
"DestinationTranslatedAddress": "",
|
||||||
|
"DestinationTranslatedPort": "",
|
||||||
|
"DeviceDnsDomain": "",
|
||||||
|
"DeviceExternalID": "",
|
||||||
|
"DeviceInboundInterface": "",
|
||||||
|
"DeviceNtDomain": "",
|
||||||
|
"DeviceOutboundInterface": "",
|
||||||
|
"DevicePayloadId": "",
|
||||||
|
"ProcessName": "",
|
||||||
|
"DeviceTranslatedAddress": "",
|
||||||
|
"DestinationHostName": "",
|
||||||
|
"DestinationMACAddress": "",
|
||||||
|
"DestinationNTDomain": "",
|
||||||
|
"DestinationProcessId": "",
|
||||||
|
"DestinationUserPrivileges": "",
|
||||||
|
"DestinationProcessName": "",
|
||||||
|
"DeviceTimeZone": "",
|
||||||
|
"DestinationUserID": "",
|
||||||
|
"DestinationUserName": "",
|
||||||
|
"DeviceMacAddress": "",
|
||||||
|
"ProcessID": "",
|
||||||
|
"ExternalID": "",
|
||||||
|
"FileCreateTime": "",
|
||||||
|
"FileHash": "",
|
||||||
|
"FileID": "",
|
||||||
|
"FileModificationTime": "",
|
||||||
|
"FilePath": "",
|
||||||
|
"FilePermission": "",
|
||||||
|
"FileType": "",
|
||||||
|
"FileName": "",
|
||||||
|
"FileSize": "",
|
||||||
|
"ReceivedBytes": "",
|
||||||
|
"OldFileCreateTime": "",
|
||||||
|
"OldFileHash": "",
|
||||||
|
"OldFileID": "",
|
||||||
|
"OldFileModificationTime": "",
|
||||||
|
"OldFileName": "",
|
||||||
|
"OldFilePath": "",
|
||||||
|
"OldFilePermission": "",
|
||||||
|
"OldFileSize": "",
|
||||||
|
"OldFileType": "",
|
||||||
|
"SentBytes": "",
|
||||||
|
"RequestURL": "",
|
||||||
|
"RequestClientApplication": "",
|
||||||
|
"RequestContext": "",
|
||||||
|
"RequestCookies": "",
|
||||||
|
"RequestMethod": "",
|
||||||
|
"SourceHostName": "",
|
||||||
|
"SourceMACAddress": "",
|
||||||
|
"SourceNTDomain": "",
|
||||||
|
"SourceDnsDomain": "",
|
||||||
|
"SourceServiceName": "",
|
||||||
|
"SourceTranslatedAddress": "",
|
||||||
|
"SourceTranslatedPort": "",
|
||||||
|
"SourceProcessId": "",
|
||||||
|
"SourceUserPrivileges": "",
|
||||||
|
"SourceProcessName": "",
|
||||||
|
"SourceUserID": "",
|
||||||
|
"SourceUserName": "",
|
||||||
|
"EventType": "",
|
||||||
|
"DeviceCustomIPv6Address1": "",
|
||||||
|
"DeviceCustomIPv6Address1Label": "",
|
||||||
|
"DeviceCustomIPv6Address2": "",
|
||||||
|
"DeviceCustomIPv6Address2Label": "",
|
||||||
|
"DeviceCustomIPv6Address3": "",
|
||||||
|
"DeviceCustomIPv6Address3Label": "",
|
||||||
|
"DeviceCustomIPv6Address4": "",
|
||||||
|
"DeviceCustomIPv6Address4Label": "",
|
||||||
|
"DeviceCustomFloatingPoint1": "",
|
||||||
|
"DeviceCustomFloatingPoint1Label": "",
|
||||||
|
"DeviceCustomFloatingPoint2": "",
|
||||||
|
"DeviceCustomFloatingPoint2Label": "",
|
||||||
|
"DeviceCustomFloatingPoint3": "",
|
||||||
|
"DeviceCustomFloatingPoint3Label": "",
|
||||||
|
"DeviceCustomFloatingPoint4": "",
|
||||||
|
"DeviceCustomFloatingPoint4Label": "",
|
||||||
|
"DeviceCustomNumber1": "",
|
||||||
|
"DeviceCustomNumber1Label": "",
|
||||||
|
"DeviceCustomNumber2": "",
|
||||||
|
"DeviceCustomNumber2Label": "",
|
||||||
|
"DeviceCustomNumber3": "",
|
||||||
|
"DeviceCustomNumber3Label": "",
|
||||||
|
"DeviceCustomString1": "",
|
||||||
|
"DeviceCustomString1Label": "",
|
||||||
|
"DeviceCustomString2": "",
|
||||||
|
"DeviceCustomString2Label": "",
|
||||||
|
"DeviceCustomString3": "",
|
||||||
|
"DeviceCustomString3Label": "",
|
||||||
|
"DeviceCustomString4": "",
|
||||||
|
"DeviceCustomString4Label": "",
|
||||||
|
"DeviceCustomString5": "",
|
||||||
|
"DeviceCustomString5Label": "",
|
||||||
|
"DeviceCustomString6": "",
|
||||||
|
"DeviceCustomString6Label": "",
|
||||||
|
"DeviceCustomDate1": "",
|
||||||
|
"DeviceCustomDate1Label": "",
|
||||||
|
"DeviceCustomDate2": "",
|
||||||
|
"DeviceCustomDate2Label": "",
|
||||||
|
"FlexDate1": "",
|
||||||
|
"FlexDate1Label": "",
|
||||||
|
"FlexNumber1": "",
|
||||||
|
"FlexNumber1Label": "",
|
||||||
|
"FlexNumber2": "",
|
||||||
|
"FlexNumber2Label": "",
|
||||||
|
"FlexString1": "",
|
||||||
|
"FlexString1Label": "",
|
||||||
|
"FlexString2": "",
|
||||||
|
"FlexString2Label": "",
|
||||||
|
"AdditionalExtensions": "RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95;RADIUS.Acct-Framed-IP-Address=192.167.230.129;RADIUS.Auth-Source=AD:10.17.4.130;RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30;RADIUS.Auth-Method=PAP;RADIUS.Acct-Service-Name=Authenticate-Only;RADIUS.Acct-Session-Time=3155;TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz;RADIUS.Acct-NAS-Port=0;RADIUS.Acct-Session-Id=R00001316-01-547c3b5a;RADIUS.Acct-NAS-Port-Type=Wireless-802.11;RADIUS.Acct-Output-Octets=578470212;RADIUS.Acct-Username=A_user2;RADIUS.Acct-NAS-IP-Address=10.17.6.124;RADIUS.Acct-Input-Octets=786315664",
|
||||||
|
"StartTime [UTC]": "",
|
||||||
|
"EndTime [UTC]": "",
|
||||||
|
"Type": "CommonSecurityLog",
|
||||||
|
"_ResourceId": "/subscriptions/7fd67ca4-e443-470d-9bc0-7ce7fa3124fb/resourcegroups/m90-logingestion-rg/providers/microsoft.compute/virtualmachines/m90-siem-vm02",
|
||||||
|
"Timestamp": "2014-12-01 15:26:43+05:30",
|
||||||
|
"CallingStationId": "00:32:b6:2c:28:95",
|
||||||
|
"InpuOctets": "",
|
||||||
|
"TimestampFormat": "MMM dd yyyy HH:mm:ss.SSS zzz",
|
||||||
|
"SessionTime": "3155",
|
||||||
|
"FramedIpAddr": "192.167.230.129",
|
||||||
|
"Source": "AD:10.17.4.130",
|
||||||
|
"Method": "PAP",
|
||||||
|
"SessionId": "R00001316-01-547c3b5a",
|
||||||
|
"ServiceName": "Authenticate-Only",
|
||||||
|
"NasPortNumber": "0",
|
||||||
|
"NasPortType": "Wireless-802.11",
|
||||||
|
"OutputOctets": "578470212",
|
||||||
|
"UserName": "A_user2",
|
||||||
|
"NasIpAddr": "10.17.6.124",
|
||||||
|
"AuthorizationSources": "",
|
||||||
|
"NetworkProtocol": "",
|
||||||
|
"RequestTimestamp": "",
|
||||||
|
"LoginStatus": "",
|
||||||
|
"EnforcementProfiles": "",
|
||||||
|
"NasPort": "",
|
||||||
|
"Ssid": "",
|
||||||
|
"ErrorCode": "",
|
||||||
|
"Roles": "",
|
||||||
|
"Service": "",
|
||||||
|
"SrcMacAddr": "",
|
||||||
|
"Unhealthy": "",
|
||||||
|
"CalledStationId": "",
|
||||||
|
"NasIdentifier": "",
|
||||||
|
"Category": "",
|
||||||
|
"Description": "",
|
||||||
|
"Action": "",
|
||||||
|
"TimeFormat": ""
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"TenantId": "a131321e-a763-4026-8439-5326aadafd82",
|
||||||
|
"SourceSystem": "OpsManager",
|
||||||
|
"TimeGenerated [UTC]": "11/27/2020, 10:01:06.239 PM",
|
||||||
|
"ReceiptTime": "",
|
||||||
|
"DeviceVendor": "Aruba Networks",
|
||||||
|
"DeviceProduct": "ClearPass",
|
||||||
|
"DeviceEventClassID": "0-1-0",
|
||||||
|
"LogSeverity": "0",
|
||||||
|
"OriginalLogSeverity": "",
|
||||||
|
"DeviceAction": "",
|
||||||
|
"SimplifiedDeviceAction": "",
|
||||||
|
"Computer": "",
|
||||||
|
"CommunicationDirection": "",
|
||||||
|
"DeviceFacility": "",
|
||||||
|
"DestinationPort": "",
|
||||||
|
"DestinationIP": "",
|
||||||
|
"DeviceAddress": "",
|
||||||
|
"DeviceName": "",
|
||||||
|
"Message": "",
|
||||||
|
"Protocol": "",
|
||||||
|
"SourcePort": "",
|
||||||
|
"SourceIP": "10.17.4.208",
|
||||||
|
"RemoteIP": "",
|
||||||
|
"RemotePort": "",
|
||||||
|
"MaliciousIP": "",
|
||||||
|
"ThreatSeverity": "",
|
||||||
|
"IndicatorThreatType": "",
|
||||||
|
"ThreatDescription": "",
|
||||||
|
"ThreatConfidence": "",
|
||||||
|
"ReportReferenceLink": "",
|
||||||
|
"MaliciousIPLongitude": "",
|
||||||
|
"MaliciousIPLatitude": "",
|
||||||
|
"MaliciousIPCountry": "",
|
||||||
|
"DeviceVersion": "6.5.0.69058",
|
||||||
|
"Activity": "Insight Logs",
|
||||||
|
"ApplicationProtocol": "",
|
||||||
|
"EventCount": "",
|
||||||
|
"DestinationDnsDomain": "",
|
||||||
|
"DestinationServiceName": "",
|
||||||
|
"DestinationTranslatedAddress": "",
|
||||||
|
"DestinationTranslatedPort": "",
|
||||||
|
"DeviceDnsDomain": "",
|
||||||
|
"DeviceExternalID": "",
|
||||||
|
"DeviceInboundInterface": "",
|
||||||
|
"DeviceNtDomain": "",
|
||||||
|
"DeviceOutboundInterface": "",
|
||||||
|
"DevicePayloadId": "",
|
||||||
|
"ProcessName": "",
|
||||||
|
"DeviceTranslatedAddress": "",
|
||||||
|
"DestinationHostName": "",
|
||||||
|
"DestinationMACAddress": "",
|
||||||
|
"DestinationNTDomain": "",
|
||||||
|
"DestinationProcessId": "",
|
||||||
|
"DestinationUserPrivileges": "",
|
||||||
|
"DestinationProcessName": "",
|
||||||
|
"DeviceTimeZone": "",
|
||||||
|
"DestinationUserID": "",
|
||||||
|
"DestinationUserName": "",
|
||||||
|
"DeviceMacAddress": "",
|
||||||
|
"ProcessID": "",
|
||||||
|
"ExternalID": "",
|
||||||
|
"FileCreateTime": "",
|
||||||
|
"FileHash": "",
|
||||||
|
"FileID": "",
|
||||||
|
"FileModificationTime": "",
|
||||||
|
"FilePath": "",
|
||||||
|
"FilePermission": "",
|
||||||
|
"FileType": "",
|
||||||
|
"FileName": "",
|
||||||
|
"FileSize": "",
|
||||||
|
"ReceivedBytes": "",
|
||||||
|
"OldFileCreateTime": "",
|
||||||
|
"OldFileHash": "",
|
||||||
|
"OldFileID": "",
|
||||||
|
"OldFileModificationTime": "",
|
||||||
|
"OldFileName": "",
|
||||||
|
"OldFilePath": "",
|
||||||
|
"OldFilePermission": "",
|
||||||
|
"OldFileSize": "",
|
||||||
|
"OldFileType": "",
|
||||||
|
"SentBytes": "",
|
||||||
|
"RequestURL": "",
|
||||||
|
"RequestClientApplication": "",
|
||||||
|
"RequestContext": "",
|
||||||
|
"RequestCookies": "",
|
||||||
|
"RequestMethod": "",
|
||||||
|
"SourceHostName": "",
|
||||||
|
"SourceMACAddress": "",
|
||||||
|
"SourceNTDomain": "",
|
||||||
|
"SourceDnsDomain": "",
|
||||||
|
"SourceServiceName": "",
|
||||||
|
"SourceTranslatedAddress": "",
|
||||||
|
"SourceTranslatedPort": "",
|
||||||
|
"SourceProcessId": "",
|
||||||
|
"SourceUserPrivileges": "",
|
||||||
|
"SourceProcessName": "",
|
||||||
|
"SourceUserID": "",
|
||||||
|
"SourceUserName": "",
|
||||||
|
"EventType": "",
|
||||||
|
"DeviceCustomIPv6Address1": "",
|
||||||
|
"DeviceCustomIPv6Address1Label": "",
|
||||||
|
"DeviceCustomIPv6Address2": "",
|
||||||
|
"DeviceCustomIPv6Address2Label": "",
|
||||||
|
"DeviceCustomIPv6Address3": "",
|
||||||
|
"DeviceCustomIPv6Address3Label": "",
|
||||||
|
"DeviceCustomIPv6Address4": "",
|
||||||
|
"DeviceCustomIPv6Address4Label": "",
|
||||||
|
"DeviceCustomFloatingPoint1": "",
|
||||||
|
"DeviceCustomFloatingPoint1Label": "",
|
||||||
|
"DeviceCustomFloatingPoint2": "",
|
||||||
|
"DeviceCustomFloatingPoint2Label": "",
|
||||||
|
"DeviceCustomFloatingPoint3": "",
|
||||||
|
"DeviceCustomFloatingPoint3Label": "",
|
||||||
|
"DeviceCustomFloatingPoint4": "",
|
||||||
|
"DeviceCustomFloatingPoint4Label": "",
|
||||||
|
"DeviceCustomNumber1": "",
|
||||||
|
"DeviceCustomNumber1Label": "",
|
||||||
|
"DeviceCustomNumber2": "",
|
||||||
|
"DeviceCustomNumber2Label": "",
|
||||||
|
"DeviceCustomNumber3": "",
|
||||||
|
"DeviceCustomNumber3Label": "",
|
||||||
|
"DeviceCustomString1": "",
|
||||||
|
"DeviceCustomString1Label": "",
|
||||||
|
"DeviceCustomString2": "",
|
||||||
|
"DeviceCustomString2Label": "",
|
||||||
|
"DeviceCustomString3": "",
|
||||||
|
"DeviceCustomString3Label": "",
|
||||||
|
"DeviceCustomString4": "",
|
||||||
|
"DeviceCustomString4Label": "",
|
||||||
|
"DeviceCustomString5": "",
|
||||||
|
"DeviceCustomString5Label": "",
|
||||||
|
"DeviceCustomString6": "",
|
||||||
|
"DeviceCustomString6Label": "",
|
||||||
|
"DeviceCustomDate1": "",
|
||||||
|
"DeviceCustomDate1Label": "",
|
||||||
|
"DeviceCustomDate2": "",
|
||||||
|
"DeviceCustomDate2Label": "",
|
||||||
|
"FlexDate1": "",
|
||||||
|
"FlexDate1Label": "",
|
||||||
|
"FlexNumber1": "",
|
||||||
|
"FlexNumber1Label": "",
|
||||||
|
"FlexNumber2": "",
|
||||||
|
"FlexNumber2Label": "",
|
||||||
|
"FlexString1": "",
|
||||||
|
"FlexString1Label": "",
|
||||||
|
"FlexString2": "",
|
||||||
|
"FlexString2Label": "",
|
||||||
|
"AdditionalExtensions": "Auth.Username=host/Asif-Test-PC2;Auth.Authorization-Sources=null;Auth.Login-Status=216;Auth.Request-Timestamp=2017-12-03 16:28:20+05:30;Auth.Protocol=RADIUS;Auth.Source=null;Auth.Enforcement-Profiles=[Allow Access Profile];Auth.NAS-Port=null;Auth.SSID=cppm-dot1x-test;TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz;Auth.NAS-Port-Type=19;Auth.Error-Code=216;Auth.Roles=null;Auth.Service=Test Wireless;Auth.Host-MAC-Address=6817294b0636;Auth.Unhealthy=null;Auth.NAS-IP-Address=10.17.4.7;Auth.CalledStationId=000B8661CD70;Auth.NAS-Identifier=ClearPassLab3600",
|
||||||
|
"StartTime [UTC]": "",
|
||||||
|
"EndTime [UTC]": "",
|
||||||
|
"Type": "CommonSecurityLog",
|
||||||
|
"_ResourceId": "/subscriptions/7fd67ca4-e443-470d-9bc0-7ce7fa3124fb/resourcegroups/m90-logingestion-rg/providers/microsoft.compute/virtualmachines/m90-siem-vm02",
|
||||||
|
"Timestamp": "",
|
||||||
|
"CallingStationId": "",
|
||||||
|
"InpuOctets": "",
|
||||||
|
"TimestampFormat": "MMM dd yyyy HH:mm:ss.SSS zzz",
|
||||||
|
"SessionTime": "",
|
||||||
|
"FramedIpAddr": "",
|
||||||
|
"Source": "null",
|
||||||
|
"Method": "",
|
||||||
|
"SessionId": "",
|
||||||
|
"ServiceName": "",
|
||||||
|
"NasPortNumber": "",
|
||||||
|
"NasPortType": "19",
|
||||||
|
"OutputOctets": "",
|
||||||
|
"UserName": "host/Asif-Test-PC2",
|
||||||
|
"NasIpAddr": "10.17.4.7",
|
||||||
|
"AuthorizationSources": "null",
|
||||||
|
"NetworkProtocol": "RADIUS",
|
||||||
|
"RequestTimestamp": "2017-12-03 16:28:20+05:30",
|
||||||
|
"LoginStatus": "216",
|
||||||
|
"EnforcementProfiles": "[Allow Access Profile]",
|
||||||
|
"NasPort": "null",
|
||||||
|
"Ssid": "cppm-dot1x-test",
|
||||||
|
"ErrorCode": "216",
|
||||||
|
"Roles": "null",
|
||||||
|
"Service": "Test Wireless",
|
||||||
|
"SrcMacAddr": "6817294b0636",
|
||||||
|
"Unhealthy": "null",
|
||||||
|
"CalledStationId": "000B8661CD70",
|
||||||
|
"NasIdentifier": "",
|
||||||
|
"Category": "",
|
||||||
|
"Description": "",
|
||||||
|
"Action": "",
|
||||||
|
"TimeFormat": ""
|
||||||
|
}
|
||||||
|
]
|
Загрузка…
Ссылка в новой задаче