Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #2476 from pemontto/master 

Align WatchGuard parser to Azure Sentinel CIM
This commit is contained in:
v-jayakal 2021-06-23 16:28:28 -07:00 коммит произвёл GitHub
Родитель 9f810a308b 6bd1dc17c8
Коммит 88d6d65c3a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 33 добавлений и 24 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

57
Parsers/WatchGuardFirebox.txt
Просмотреть файл

@ -14,30 +14,39 @@
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let fromat_result = (source_arry:dynamic)
{
let fromat_result = (source_arry: dynamic) {
let source_ips = array_concat(source_arry[0], source_arry[1]);
iif(source_ips[2]=="", strcat(source_ips[0],source_ips[1]), strcat(source_ips[0], dynamic(","),source_ips[2]))
iif(source_ips[2] == "", strcat(source_ips[0], source_ips[1]), strcat(source_ips[0], dynamic(","), source_ips[2]))
};
Syslog
| extend PolicyName = replace("-00","",extract(@"\s\(([-\w\s]*?(-00|\sPolicy|DVCP-BOVPN-Allow-in))\)$",1,SyslogMessage, typeof(string))),
PolicyAction = extract("msg_id=\".*?\"\\s(\\w+?)\\s.*(Policy|-00|DVCP-BOVPN-Allow-in)\\)$",1,SyslogMessage),
ProxyName = extract("Proxy.*?: ([\\w\\s]+)",1,SyslogMessage),
Application = extract("app_name=\"(.*?)\"",1,SyslogMessage),
MessageId = extract("msg_id=\"(.*?)\"",1,SyslogMessage),
EventMessage = extract("msg=\"(.*?)\"",1,SyslogMessage),
LoginUser = extract("Authentication of .*?\\[(.*?)@.*?\\].*?\\s",1,SyslogMessage),
Interface = extract("msg_id=\"3100-002C\" \\[(.*)\\]",1,SyslogMessage),
InterfaceStatus = extract("Interface link status changed to ([\\w\\s]+)",1,SyslogMessage),
BOVPNInterface = extract("msg_id=\"0207-0001\".*\'(.*)\'",1,SyslogMessage),
BOVPNStatus = extract("BOVPN IPSec tunnel is (.*). local",1,SyslogMessage),
GeoDst = extract("geo_dst=\"(.*?)\"",1,SyslogMessage),
GeoSrc = extract("geo_src=\"(.*?)\"",1,SyslogMessage),
SentBytes = extract("sent_bytes=\"(.*?)\"",1,SyslogMessage),
RcvdBytes = extract("rcvd_bytes=\"(.*?)\"",1,SyslogMessage),
FireboxVersion = extract("Watchguard loggerd (.*?) ",1,SyslogMessage),
FireboxManageUser = extract("Management user (.*?)@",1,SyslogMessage),
SrcIpAddr = fromat_result(extract_all(@"(:\s(?P<srcIp1>(\d{1,3}\.){3}\d{1,3}):\d{1,5}\s->\s)|(\s(?P<srcIp2>(\d{1,3}\.){3}\d{1,3})\s(\d{1,3}\.){3}\d{1,3}\s)", dynamic(['srcIp1', 'srcIp2']), SyslogMessage)),
DstIpAddr = fromat_result(extract_all(@"(:\d{1,5}\s->\s(?P<destIp1>(\d{1,3}\.){3}\d{1,3}):\d{1,5}\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(?P<destIp2>(\d{1,3}\.){3}\d{1,3})\s)", dynamic(['destIp1', 'destIp2']), SyslogMessage)),
SrcPortNumber = fromat_result(extract_all(@"(:\s(\d{1,3}\.){3}\d{1,3}:(?P<srcPort1>\d{1,5})\s->\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(\d{1,3}\.){3}\d{1,3}\s(?P<srcPort2>\d{1,5})\s)", dynamic(['srcPort1', 'srcPort2']), SyslogMessage)),
DstPortNumber = fromat_result(extract_all(@"(:\d{1,5}\s->\s(\d{1,3}\.){3}\d{1,3}:(?P<destPort1>\d{1,5})\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(\d{1,3}\.){3}\d{1,3}\s\d{1,5}\s(?P<destPort2>\d{1,5})\s)", dynamic(['destPort1', 'destPort2']), SyslogMessage))
| extend
PolicyName = replace("-00", "", extract(@"\s\(([-\w\s]*?(-00|\sPolicy|DVCP-BOVPN-Allow-in))\)$", 1, SyslogMessage, typeof(string)))
, PolicyAction = extract("msg_id=\".*?\"\\s(\\w+?)\\s.*(Policy|-00|DVCP-BOVPN-Allow-in)\\)$", 1, SyslogMessage)
, ProxyName = extract("Proxy.*?: ([\\w\\s]+)", 1, SyslogMessage)
, Application = extract("app_name=\"(.*?)\"", 1, SyslogMessage)
, MessageId = extract("msg_id=\"(.*?)\"", 1, SyslogMessage)
, EventMessage = extract("msg=\"(.*?)\"", 1, SyslogMessage)
, EventVendor = "Watchguard"
, EventProduct = "Firebox"
, EventType="Traffic"
, EventSchemaVersion="1.0.0"
, EventProductVersion = extract("Watchguard loggerd (.*?) ", 1, SyslogMessage)
, SrcUserName = extract("Authentication of .*?\\[(.*?)@.*?\\].*?\\s", 1, SyslogMessage)
, DvcInboundInterface = extract("msg_id=\"3100-002C\" \\[(.*)\\]", 1, SyslogMessage)
, InterfaceStatus = extract("Interface link status changed to ([\\w\\s]+)", 1, SyslogMessage)
, BOVPNInterface = extract("msg_id=\"0207-0001\".*\'(.*)\'", 1, SyslogMessage)
, BOVPNStatus = extract("BOVPN IPSec tunnel is (.*). local", 1, SyslogMessage)
, DstGeoCountry = extract("geo_dst=\"(.*?)\"", 1, SyslogMessage)
, SrcGeoCountry = extract("geo_src=\"(.*?)\"", 1, SyslogMessage)
, SrcBytes = todouble(extract("sent_bytes=\"(.*?)\"", 1, SyslogMessage))
, DstBytes = todouble(extract("rcvd_bytes=\"(.*?)\"", 1, SyslogMessage))
, FireboxManageUser = extract("Management user (.*?)@", 1, SyslogMessage)
, SrcIpAddr = fromat_result(extract_all(@"(:\s(?P<srcIp1>(\d{1,3}\.){3}\d{1,3}):\d{1,5}\s->\s)|(\s(?P<srcIp2>(\d{1,3}\.){3}\d{1,3})\s(\d{1,3}\.){3}\d{1,3}\s)", dynamic(['srcIp1', 'srcIp2']), SyslogMessage))
, DstIpAddr = fromat_result(extract_all(@"(:\d{1,5}\s->\s(?P<destIp1>(\d{1,3}\.){3}\d{1,3}):\d{1,5}\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(?P<destIp2>(\d{1,3}\.){3}\d{1,3})\s)", dynamic(['destIp1', 'destIp2']), SyslogMessage))
, SrcPortNumber = fromat_result(extract_all(@"(:\s(\d{1,3}\.){3}\d{1,3}:(?P<srcPort1>\d{1,5})\s->\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(\d{1,3}\.){3}\d{1,3}\s(?P<srcPort2>\d{1,5})\s)", dynamic(['srcPort1', 'srcPort2']), SyslogMessage))
, DstPortNumber = fromat_result(extract_all(@"(:\d{1,5}\s->\s(\d{1,3}\.){3}\d{1,3}:(?P<destPort1>\d{1,5})\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(\d{1,3}\.){3}\d{1,3}\s\d{1,5}\s(?P<destPort2>\d{1,5})\s)", dynamic(['destPort1', 'destPort2']), SyslogMessage))
| extend
DvcAction = case(PolicyAction has "Allow", "Allow", PolicyAction has "Deny", "Deny", PolicyAction has "Drop", "Drop", "")
, EventResult = case(PolicyAction has "Allow", "Success", "Failure")
, EventTimeIngested = ingestion_time()
, EventCount = toint(1)