Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3113 from socprime/ImpervaCloudWAF_parse_CEF_inside_function 

ImpervaCloudWAF: add CEF parsing inside the function
This commit is contained in:
v-jayakal 2021-10-14 19:48:30 -07:00 коммит произвёл GitHub
Родитель 497d908a4b 8060b6b7a8
Коммит a778b2b5d8
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 312 добавлений и 108 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

162
.script/tests/KqlvalidationsTests/CustomTables/ImpervaWAFCloud_CL.json
Просмотреть файл

@ -1,13 +1,153 @@
{
"Name": "ImpervaWAFCloud_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Message",
"Type": "string"
}
"Name":"ImpervaWAFCloud_CL",
"Properties":[
{
"Name":"EventVendor_s",
"Type":"String"
},
{
"Name":"EventProduct_s",
"Type":"String"
},
{
"Name":"EventType_s",
"Type":"String"
},
{
"Name":"severity_s",
"Type":"String"
},
{
"Name":"act_s",
"Type":"String"
},
{
"Name":"app_s",
"Type":"String"
},
{
"Name":"ccode_s",
"Type":"String"
},
{
"Name":"cicode_s",
"Type":"String"
},
{
"Name":"cn1_s",
"Type":"String"
},
{
"Name":"cpt_s",
"Type":"String"
},
{
"Name":"Customer_s",
"Type":"String"
},
{
"Name":"deviceExternalId_s",
"Type":"String"
},
{
"Name":"deviceFacility_s",
"Type":"String"
},
{
"Name":"dproc_s",
"Type":"String"
},
{
"Name":"end_s",
"Type":"String"
},
{
"Name":"fileId_s",
"Type":"String"
},
{
"Name":"postbody_s",
"Type":"String"
},
{
"Name":"qstr_s",
"Type":"String"
},
{
"Name":"request_s",
"Type":"String"
},
{
"Name":"requestClientApplication_s",
"Type":"String"
},
{
"Name":"requestMethod_s",
"Type":"String"
},
{
"Name":"sip_s",
"Type":"String"
},
{
"Name":"siteid_s",
"Type":"String"
},
{
"Name":"sourceServiceName_s",
"Type":"String"
},
{
"Name":"spt_s",
"Type":"String"
},
{
"Name":"src_s",
"Type":"String"
},
{
"Name":"start_s",
"Type":"String"
},
{
"Name":"suid_s",
"Type":"String"
},
{
"Name":"ver_s",
"Type":"String"
},
{
"Name":"xff_s",
"Type":"String"
},
{
"Name":"CapSupport_s",
"Type":"String"
},
{
"Name":"clapp_s",
"Type":"String"
},
{
"Name":"clappsig_s",
"Type":"String"
},
{
"Name":"COSupport_s",
"Type":"String"
},
{
"Name":"latitude_s",
"Type":"String"
},
{
"Name":"longitude_s",
"Type":"String"
},
{
"Name":"VID_g",
"Type":"String"
}
]
}
}

140
Sample Data/Custom/ImpervaWAFCloud_CL.json
Просмотреть файл

@ -1,35 +1,107 @@
[
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=438000490120534212 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a5a4c376-25b5-4c45-9ca5-ee62559c9540 cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809714018 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET cn1=200 app=HTTP act=REQ_CACHED_FRESH deviceExternalId=269605585508764744 sip=0.0.0.0 spt=0 in=4591 xff=172.105.147.48 cpt=42709 src=172.105.147.48 end=1624809714271"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=387000480007874940 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=265c4484-b748-4ef3-882f-57825e0ad07a cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809715984 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET app=HTTP act=REQ_BAD_CLIENT_CLOSED_CONNECTION deviceExternalId=9285040714484748 sip=33.33.33.33 spt=8000 xff=172.105.147.33 cpt=45469 src=172.105.147.33 end=1624809725983"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=239000010038734543 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=fbc79214-dbc9-4139-aaf7-b41c1ca93d32 cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809710277 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET app=HTTP act=REQ_BAD_CLIENT_CLOSED_CONNECTION deviceExternalId=130691654354927691 sip=33.33.33.33 spt=8088 xff=172.105.147.28 cpt=38691 src=172.105.147.28 end=1624809720276"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=438000490120554325 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=5117ee43-9fb8-4cc0-8511-da04c8bb6be2 cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809796792 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET cn1=200 app=HTTP act=REQ_CACHED_FRESH deviceExternalId=461836287179361353 in=4591 cpt=50803 src=172.105.147.18 end=1624809796793"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=440000430117303719 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=394706e1-2fc9-4e4d-9e91-a4b92894710d cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809766257 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET cn1=200 app=HTTP act=REQ_CACHED_FRESH deviceExternalId=253248855397108424 sip=0.0.0.0 spt=0 in=4591 xff=172.105.147.39 cpt=38965 src=172.105.147.39 end=1624809766259"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=386000440152318281 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=6d10d09c-499e-43d3-a19e-609fb1627b08 cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809852890 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET app=HTTP act=REQ_BAD_CLIENT_CLOSED_CONNECTION deviceExternalId=327986650758122251 sip=33.33.33.33 spt=8081 xff=172.105.147.82 cpt=58207 src=172.105.147.82 end=1624809864234"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=1244000410177421731 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=cb2d92a4-c3c2-4d11-ad89-ecfc36da7afc cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809803325 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET app=HTTP act=REQ_BAD_CLIENT_CLOSED_CONNECTION deviceExternalId=671492671950031436 sip=33.33.33.33 spt=8080 xff=172.105.147.41 cpt=59969 src=172.105.147.41 end=1624809813324"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=440000430117319678 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com deviceFacility=atl cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=47c3c3c8-e681-40c6-a61b-470f63e5d738 cs4Label=VID cs5=27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Crawler cs6=Expanse cs6Label=clapp ccode=US cicode=Atlanta cs7=33.7485 cs7Label=latitude cs8=-84.3871 cs8Label=longitude Customer=sanitized@sanitized.com start=1624809852528 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET cn1=200 app=HTTP act=REQ_CACHED_FRESH deviceExternalId=185856506375703233 in=4591 cpt=51825 src=172.105.147.109 end=1624809852529"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|SQL Injection|0| fileId=536000420203633562 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 deviceFacility=fra cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=3a5239f0-eba1-4d10-9edd-63d078ef11e7 cs4Label=VID cs5=1fa33ee720f821199422001fb69865785b18d140b29684b23ac978ead4910824acce04db7a799841bb033029b4c72b10e33740ea4d2972210f96e3365d25eb25f8148c211177e7e61effce9c12a7de9f1eea71dd57d107a464dfcc54046c78400f9eedd9b846bb0491abe72a4b988e7cd3e7117283cee9f556726334972b7ce9 cs5Label=clappsig dproc=Unclassified cs6=Bot cs6Label=clapp ccode=UA cicode=Kyiv cs7=50.5183 cs7Label=latitude cs8=30.5088 cs8Label=longitude Customer=sanitized@sanitized.com start=1624459989430 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET qstr=e9db863b46KCYodWlkPSopKHVpZD0qKSkofCh1aWQ9KikodXNlclBhc3N3b3JkPXtNRDV9WDAzTU8xcW5aZFlkZ3lmZXVJTFBtUT09KSk app=HTTP act=REQ_BLOCKED_SESSION deviceExternalId=300754127159822978 cpt=63326 src=77.222.131.19 end=1624459989431 fileType=50033 filePermission=666 cs9= cs9Label=Rule name"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=536000420203631383 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 deviceFacility=fra cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=d1703207-e303-4fe4-80bf-01bd53547442 cs4Label=VID cs5=1fa33ee720f821199422001fb69865785b18d140b29684b23ac978ead4910824acce04db7a799841bb033029b4c72b10e33740ea4d2972210f96e3365d25eb25f8148c211177e7e61effce9c12a7de9f1eea71dd57d107a464dfcc54046c78400f9eedd9b846bb0491abe72a4b988e7cd3e7117283cee9f556726334972b7ce9 cs5Label=clappsig dproc=Unclassified cs6=Bot cs6Label=clapp ccode=UA cicode=Kyiv cs7=50.5183 cs7Label=latitude cs8=30.5088 cs8Label=longitude Customer=sanitized@sanitized.com start=1624459982372 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=POST postbody=testtrue&bf2e087242%2f%2a%2a%2fUN%2f%2a%2a%2fION%2f%2a%2a%2fSEL%2f%2a%2a%2fECT%2f%2a%2a%2fpassword%2f%2a%2a%2fFR%2fOM%2f%2a%2a%2fUsers%2f%2a%2a%2fWHE%2f%2a%2a%2fRE%2f%2a%2a%2fusersame%2f%2a%2a%2fLIKE%2f%2a%2a%2f%27tom%27-- cn1=405 app=HTTP act=REQ_PASSED deviceExternalId=133619516400208512 sip=33.153.23.33 spt=80 in=285 xff=33.33.33.33 cpt=61269 src=33.222.11.33 end=1624459982378"
},
{
"Message":"CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=1344000210263575150 sourceServiceName=jsc6wzftsr8pj2zk.company.name siteid=61539044 suid=1843222 requestClientApplication=Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: sanitized@sanitized.com deviceFacility=iad cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=acd48a1b-daa0-4ef8-b4d0-9084708bf3a7 cs4Label=VID cs5=3ef4755ba073991770f204961c0d4e188c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4 cs5Label=clappsig dproc=Developer Tool cs6=Go HTTP library cs6Label=clapp ccode=US cicode=Washington cs7=38.894 cs7Label=latitude cs8=-77.0365 cs8Label=longitude Customer=sanitized@sanitized.com start=1624671299714 request=jsc6wzftsr8pj2zk.company.name/ requestMethod=GET app=HTTPS act=REQ_BAD_CLIENT_CLOSED_CONNECTION deviceExternalId=963340059111589198 sip=35.156.26.77 spt=8443 xff=33.83.33.23 cpt=39255 src=34.86.35.29 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1624671309677"
}
]
{
"EventVendor":"Imperva",
"EventProduct":"Incapsula",
"EventType":"SIEMintegration",
"fileId":"1229000390213161581",
"sourceServiceName":"jsc6wzftsr8pj2zk.name",
"siteid":"61539044",
"suid":"1843222",
"requestClientApplication":"Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: sanitized@sanitized.com",
"deviceFacility":"tor",
"dproc":"Unclassified",
"ccode":"BE",
"cicode":"Brussels",
"Customer":"sanitized@sanitized.com",
"start":"1624670480815",
"request":"jsc6wzftsr8pj2zk.name/",
"requestMethod":"GET",
"app":"HTTP",
"act":"REQ_BAD_CLIENT_CLOSED_CONNECTION",
"deviceExternalId":"666299974883805644",
"sip":"35.156.26.77",
"spt":"5000",
"xff":"34.77.162.7",
"cpt":"54249",
"src":"34.77.162.7",
"end":"1624670490723",
"CapSupport":"NA",
"JavascriptSupport":"false",
"COSupport":"false",
"VID":"6cfa21e8-5f7d-4567-a04c-605bcc30d08d",
"clappsig":"27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4",
"clapp":"Bot",
"latitude":"50.8336",
"longitude":"4.3337"
},
{
"EventVendor":"Imperva",
"EventProduct":"Incapsula",
"EventType":"SIEMintegration",
"fileId":"239000010038734543",
"sourceServiceName":"jsc6wzftsr8pj2zk.name",
"siteid":"61539044",
"suid":"1843222",
"requestClientApplication":"Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com ",
"deviceFacility":"atl",
"dproc":"Crawler",
"ccode":"US",
"cicode":"Atlanta",
"Customer":"sanitized@sanitized.com",
"start":"1624809710277",
"request":"jsc6wzftsr8pj2zk.name/",
"requestMethod":"GET",
"app":"HTTP",
"act":"REQ_BAD_CLIENT_CLOSED_CONNECTION",
"deviceExternalId":"130691654354927691",
"sip":"35.156.26.77",
"spt":"8088",
"xff":"172.105.147.28",
"cpt":"38691",
"src":"172.105.147.28",
"end":"1624809720276",
"CapSupport":"NA",
"JavascriptSupport":"false",
"COSupport":"false",
"VID":"fbc79214-dbc9-4139-aaf7-b41c1ca93d32",
"clappsig":"27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4",
"clapp":"Expanse",
"latitude":"33.7485",
"longitude":"-84.3871"
},
{
"EventVendor":"Imperva",
"EventProduct":"Incapsula",
"EventType":"SIEMintegration",
"fileId":"1244000410177421731",
"sourceServiceName":"jsc6wzftsr8pj2zk.name",
"siteid":"61539044",
"suid":"1843222",
"requestClientApplication":"Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: sanitized@sanitized.com",
"deviceFacility":"atl",
"dproc":"Crawler",
"ccode":"US",
"cicode":"Atlanta",
"Customer":"sanitized@sanitized.com",
"start":"1624809803325",
"request":"jsc6wzftsr8pj2zk.name/",
"requestMethod":"GET",
"app":"HTTP",
"act":"REQ_BAD_CLIENT_CLOSED_CONNECTION",
"deviceExternalId":"671492671950031436",
"sip":"35.156.26.77",
"spt":"8080",
"xff":"172.105.147.41",
"cpt":"59969",
"src":"172.105.147.41",
"end":"1624809813324",
"CapSupport":"NA",
"JavascriptSupport":"false",
"COSupport":"false",
"VID":"cb2d92a4-c3c2-4d11-ad89-ecfc36da7afc",
"clappsig":"27f1a8f2e99bd4a64e1b9b7deaad6c028c0cd935eab7e772d6b541a0817a54f02afdf5ece1cf5aacd2f792b16534eee4",
"clapp":"Expanse",
"latitude":"33.7485",
"longitude":"-84.3871"
}
]

Двоичные данные
Solutions/ImpervaCloudWAF/Data Connectors/ImpervaWAFCloudSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

19
Solutions/ImpervaCloudWAF/Data Connectors/ImpervaWAFCloudSentinelConnector/__init__.py
Просмотреть файл

@ -138,11 +138,26 @@ class ImpervaFilesHandler:
if events_data is not None:
for line in events_data.splitlines():
if "CEF" in line:
event_message = {"Message": line}
event_message = self.parse_cef(line)
events_arr.append(event_message)
for chunk in self.gen_chunks_to_object(events_arr, chunksize=1000):
self.sentinel.post_data(json.dumps(chunk), len(chunk), file_name)
def parse_cef(self,cef_raw):
rx = r'([^=\s]+)?=((?:[\\]=|[^=])+)(?:\s|$)'
parsed_cef = {"EventVendor": "Imperva", "EventProduct": "Incapsula", "EventType": "SIEMintegration"}
for key,val in re.findall(rx, cef_raw):
if val.startswith('"') and val.endswith('"'):
val = val[1:-1]
parsed_cef[key]=val
cs_array = ['cs1','cs2','cs3','cs4','cs5','cs6','cs7','cs8']
for elem in cs_array:
if parsed_cef[elem] is not None:
parsed_cef[(parsed_cef[f'{elem}Label']).replace(" ", "")] = parsed_cef[elem]
parsed_cef.pop(f'{elem}Label')
parsed_cef.pop(elem)
return parsed_cef
def gen_chunks_to_object(self, object, chunksize=100):
chunk = []
for index, line in enumerate(object):

99
Solutions/ImpervaCloudWAF/Parsers/ImpervaWAFCloud
Просмотреть файл

@ -3,64 +3,41 @@
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ImpervaWAFCloud | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
ImpervaWAFCloud_CL
| where Message has "CEF"
| extend logs = split(Message, "|")
| extend product = logs[1]
| extend type = logs[2]
| extend severity = logs[5]
| extend msg = logs[7]
| extend Properties = extract_all(@"(?P<key>[^=\s]+)?=(?P<value>(?:[\\]=|[^=])+)(?:\s|$)", dynamic(["key","value"]), tostring(msg))
| mv-apply Properties on (
summarize make_bag(pack(tostring(Properties[0]), Properties[1]))
)
| evaluate bag_unpack(bag_)
| extend packed = pack(
replace(@"\s","",cs1Label), cs1,
replace(@"\s","",cs2Label), cs2,
replace(@"\s","",cs3Label), cs3,
replace(@"\s","",cs4Label), cs4,
replace(@"\s","",cs5Label), cs5,
replace(@"\s","",cs6Label), cs6,
replace(@"\s","",cs7Label), cs7,
replace(@"\s","",cs8Label), cs8
)
| evaluate bag_unpack(packed)
| project-away logs, msg, cs1, cs1Label, cs2, cs2Label, cs3, cs3Label, cs4,cs4Label, cs5,cs5Label, cs6, cs6Label, cs7, cs7Label, cs8, cs8Label, Message
| extend EventVendor = "Imperva",
EventProduct = product,
EventType = type,
EventSeverity = severity,
DvcAction = act,
NetworkApplicationProtocol = app,
Country = ccode,
City = cicode,
HttpStatusCode = cn1,
SrcPortNumber = cpt,
AccountName = Customer,
RequestId = deviceExternalId,
PoPName = deviceFacility,
BrowserType = dproc,
EventEndTime = end,
NetworkSessionId = fileId,
PostBody = postbody,
QueryString = qstr,
UrlOriginal = request,
HttpUserAgentOriginal = requestClientApplication,
HttpRequestMethod = requestMethod,
DstIpAddr = sip,
SiteID = siteid,
DstDomainHostname = sourceServiceName,
DstPortNumber = spt,
SrcIpAddr = src,
EventStartTime = start,
AccountID = suid,
NetworkApplicationProtocoVersion = ver,
HttpRequestXff = xff,
CaptchaSupport = CapSupport,
ClientApp = clapp,
ClientAppSig = clappsig,
CookiesSupport = COSupport,
SrcGeoLatitude = latitude,
SrcGeoLongitude = longitude,
VisitorID = VID
| project TimeGenerated, EventVendor, EventProduct, EventType, EventSeverity, DvcAction, NetworkApplicationProtocol, Country, City, HttpStatusCode, SrcPortNumber, AccountName, RequestId, PoPName, BrowserType, EventEndTime, NetworkSessionId, PostBody, QueryString, UrlOriginal, HttpUserAgentOriginal, HttpRequestMethod, DstIpAddr, SiteID, DstDomainHostname, DstPortNumber, SrcIpAddr, EventStartTime, AccountID, NetworkApplicationProtocoVersion, HttpRequestXff, CaptchaSupport, ClientApp, ClientAppSig, CookiesSupport, SrcGeoLatitude, SrcGeoLongitude, VisitorID, JavascriptSupport
| extend EventVendor = EventVendor_s,
EventProduct = EventProduct_s,
EventType = EventType_s,
EventSeverity = column_ifexists('severity_s', ''),
DvcAction = column_ifexists('act_s', ''),
NetworkApplicationProtocol = column_ifexists('app_s', ''),
Country = column_ifexists('ccode_s', ''),
City = column_ifexists('cicode_s', ''),
HttpStatusCode = column_ifexists('cn1_s', ''),
SrcPortNumber = column_ifexists('cpt_s', ''),
AccountName = column_ifexists('Customer_s', ''),
RequestId = column_ifexists('deviceExternalId_s', ''),
PoPName = column_ifexists('deviceFacility_s', ''),
BrowserType = column_ifexists('dproc_s', ''),
EventEndTime = column_ifexists('end_s', ''),
NetworkSessionId = column_ifexists('fileId_s', ''),
PostBody = column_ifexists('postbody_s', ''),
QueryString = column_ifexists('qstr_s', ''),
UrlOriginal = column_ifexists('request_s', ''),
HttpUserAgentOriginal = column_ifexists('requestClientApplication_s', ''),
HttpRequestMethod = column_ifexists('requestMethod_s', ''),
DstIpAddr = column_ifexists('sip_s', ''),
SiteID = column_ifexists('siteid_s', ''),
DstDomainHostname = column_ifexists('sourceServiceName_s', ''),
DstPortNumber = column_ifexists('spt_s', ''),
SrcIpAddr = column_ifexists('src_s', ''),
EventStartTime = column_ifexists('start_s', ''),
AccountID = column_ifexists('suid_s', ''),
NetworkApplicationProtocoVersion = column_ifexists('ver_s', ''),
HttpRequestXff = column_ifexists('xff_s', ''),
CaptchaSupport = column_ifexists('CapSupport_s', ''),
ClientApp = column_ifexists('clapp_s', ''),
ClientAppSig = column_ifexists('clappsig_s', ''),
CookiesSupport = column_ifexists('COSupport_s', ''),
SrcGeoLatitude = column_ifexists('latitude_s', ''),
SrcGeoLongitude = column_ifexists('longitude_s', ''),
VisitorID = column_ifexists('VID_g', '')
| project TimeGenerated, EventVendor, EventProduct, EventType, EventSeverity, DvcAction, NetworkApplicationProtocol, Country, City, HttpStatusCode, SrcPortNumber, AccountName, RequestId, PoPName, BrowserType, EventEndTime, NetworkSessionId, PostBody, QueryString, UrlOriginal, HttpUserAgentOriginal, HttpRequestMethod, DstIpAddr, SiteID, DstDomainHostname, DstPortNumber, SrcIpAddr, EventStartTime, AccountID, NetworkApplicationProtocoVersion, HttpRequestXff, CaptchaSupport, ClientApp, ClientAppSig, CookiesSupport, SrcGeoLatitude, SrcGeoLongitude, VisitorID