[ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json

@@ -35,7 +35,7 @@
             "displayName": "Web Session ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimWebSession",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n  ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n  ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n  ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n  ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n  ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers)))\n}; \nparser (pack=pack)\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n  ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n  ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n  ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n  ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n  ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n  ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n  ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n  ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n  ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers)))\n}; \nparser (pack=pack)\n",
             "version": 1,
             "functionParameters": "pack:bool=False"
           }

Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimWebSessionApacheHTTPServer",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM parser for Apache HTTP Server",
+            "category": "ASIM",
+            "FunctionAlias": "ASimWebSessionApacheHTTPServer",
+            "query": "let Parser=(disabled:bool=false){\n  ApacheHTTPServer_CL\n  | where not(disabled)\n  | project  RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n  | where not (RawData startswith \"[\") \n  | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n  | parse RawData with * '] ' Temp'\"' *\n  | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n  | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n  | project-away RawData, Date, ClientIdentity, Temp\n  | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n  | project-rename \n      DvcHostname    = Computer,\n      DvcId          = _ResourceId,\n      EventUid       = _ItemId\n  | extend \n      HttpVersion    = tostring(split(Protocol,\"/\")[1]),\n      EventStartTime = TimeGenerated,\n      EventEndTime   = TimeGenerated,\n      DvcIdType      = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n  | extend \n      HttpStatusCode = EventResultDetails,\n      UserAgent      = HttpUserAgent,\n      EventResult    = iff (\n        toint(EventResultDetails) < 400, \"Success\", \n        \"Failure\"\n      ),\n      IpAddr         = SrcIpAddr,\n      Dvc            = DvcHostname,\n      User           = SrcUsername,\n      SrcUsername    = case(SrcUsername == \"-\", \"\", SrcUsername),\n      HttpReferrer   = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n      HttpUserAgent  = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n      DstHostname    = case(DstHostname == \"-\", \"\", DstHostname)\n  | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n  | project-away Protocol\n  | extend\n      EventType          = \"WebServerSession\", \n      EventSchema        = \"WebSession\",\n      EventSchemaVersion = \"0.2.6\",\n      EventCount         = int(1),\n      EventVendor        = \"Apache\",\n      EventProduct       = \"HTTP Server\",\n      EventSeverity      = \"Informational\"\n};\nParser (disabled=disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/README.md

@@ -0,0 +1,18 @@
+# Apache HTTP Server ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Apache HTTP Server.
+
+This ASIM parser supports filtering and normalizing Apache HTTP Server logs produced by the Microsoft Sentinel Apache connector to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionApacheHTTPServer%2FASimWebSessionApacheHTTPServer.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionApacheHTTPServer%2FASimWebSessionApacheHTTPServer.json)

Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/README.md

@@ -0,0 +1,18 @@
+# Barracuda WAF ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Barracuda WAF.
+
+This ASIM parser supports normalizing Barracuda WAF logs to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionBarracudaWAF%2FASimWebSessionBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionBarracudaWAF%2FASimWebSessionBarracudaWAF.json)

Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/README.md

@@ -0,0 +1,18 @@
+# Cisco Meraki ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Cisco Meraki.
+
+This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Web Session normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionCiscoMeraki%2FASimWebSessionCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionCiscoMeraki%2FASimWebSessionCiscoMeraki.json)

Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/README.md

@@ -0,0 +1,18 @@
+# Fortinet FortiGate ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Fortinet FortiGate.
+
+This ASIM parser supports filtering and normalizing Fortinet FortiGate logs produced by the Microsoft Sentinel Fortinet connector to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionFortinetFortiGate%2FASimWebSessionFortinetFortiGate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionFortinetFortiGate%2FASimWebSessionFortinetFortiGate.json)

Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json

@@ -38,6 +38,86 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionApacheHTTPServer",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionBarracudaWAF",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionCiscoMeraki",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionFortinetFortiGate",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -178,6 +258,66 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionApacheHTTPServer",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionBarracudaWAF",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionCiscoMeraki",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -198,6 +338,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionFortinetFortiGate",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",

Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/README.md

@@ -0,0 +1,18 @@
+# Apache HTTP Server ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Apache HTTP Server.
+
+This ASIM parser supports filtering and normalizing Apache HTTP Server logs produced by the Microsoft Sentinel Apache connector to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionApacheHTTPServer%2FvimWebSessionApacheHTTPServer.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionApacheHTTPServer%2FvimWebSessionApacheHTTPServer.json)

Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimWebSessionApacheHTTPServer",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Web Session ASIM Filtering parser for Apache HTTP Server",
+            "category": "ASIM",
+            "FunctionAlias": "vimWebSessionApacheHTTPServer",
+            "query": "let Parser=(\n  starttime:datetime               = datetime(null), \n  endtime:datetime                 = datetime(null),\n  srcipaddr_has_any_prefix:dynamic = dynamic([]),\n  ipaddr_has_any_prefix:dynamic    = dynamic([]), \n  url_has_any:dynamic              = dynamic([]),\n  httpuseragent_has_any:dynamic    = dynamic([]),\n  eventresultdetails_in:dynamic    = dynamic([]),\n  eventresult:string               = '*',\n  disabled:bool                    = false\n){\n  let src_or_any                = set_union(\n    srcipaddr_has_any_prefix,\n    ipaddr_has_any_prefix\n  ); \n  let remove_protocol_from_list = (list:dynamic)\n  {\n      print list\n      | mv-apply l = print_0 to typeof(string) on\n        ( extend l = substring(l,indexof(l,@'//')+2))\n      | project l\n  };\n  ApacheHTTPServer_CL\n  | where not(disabled)\n  | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n  | where (array_length(url_has_any) == 0 or RawData has_any (remove_protocol_from_list(url_has_any)))\n  | where (array_length(httpuseragent_has_any) == 0 or RawData has_any (httpuseragent_has_any))\n  | where (array_length(src_or_any) == 0 or RawData has_any (src_or_any))\n  | where (array_length(eventresultdetails_in) == 0 or RawData has_any (eventresultdetails_in))\n  | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n  | where not (RawData startswith \"[\") \n  | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n  | parse RawData with * '] ' Temp'\"' *\n  | where (array_length(url_has_any) == 0 or Temp has_any (remove_protocol_from_list(url_has_any)))\n  | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n  | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n  | project-away RawData, Date, ClientIdentity, Temp\n  | where (array_length(url_has_any) == 0 or Url has_any (remove_protocol_from_list(url_has_any)))\n  | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any (httpuseragent_has_any))\n  | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) in (eventresultdetails_in))\n  | extend \n      temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n  | extend ASimMatchingIpAddr = case(\n      array_length(src_or_any) == 0, \"-\",\n      temp_SrcMatch , \"SrcIpAddr\",\n      \"No match\") \n  | where ASimMatchingIpAddr != \"No match\" \n  | project-away temp_*\n  | extend EventResult    = iff (\n        toint(EventResultDetails) < 400, \"Success\", \n        \"Failure\"\n      )\n  | where (eventresult == '*' or EventResult =~ eventresult)\n  | extend SrcUsername    = case(SrcUsername == \"-\", \"\", SrcUsername),\n      HttpReferrer        = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n      HttpUserAgent       = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n      DstHostname         = case(DstHostname == \"-\", \"\", DstHostname)    \n  | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n  | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n  | project-rename \n      Dst            = DstHostname,\n      DvcHostname    = Computer,\n      DvcId          = _ResourceId,\n      EventUid       = _ItemId\n  | extend \n      HttpVersion    = tostring(split(Protocol,\"/\")[1]),\n      EventStartTime = TimeGenerated,\n      EventEndTime   = TimeGenerated,\n      DvcIdType      = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n  | extend \n      HttpStatusCode = EventResultDetails,\n      UserAgent      = HttpUserAgent,\n      IpAddr         = SrcIpAddr,\n      Dvc            = DvcHostname,\n      User           = SrcUsername\n  | project-away Protocol\n  | extend\n      EventType          = \"WebServerSession\", \n      EventSchema        = \"WebSession\",\n      EventSchemaVersion = \"0.2.6\",\n      EventCount         = int(1),\n      EventVendor        = \"Apache\",\n      EventProduct       = \"HTTP Server\",\n      EventSeverity      = \"Informational\"\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/README.md

@@ -0,0 +1,18 @@
+# Barracuda WAF ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Barracuda WAF.
+
+This ASIM parser supports filtering and normalizing Barracuda WAF logs to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionBarracudaWAF%2FvimWebSessionBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionBarracudaWAF%2FvimWebSessionBarracudaWAF.json)

Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/README.md

@@ -0,0 +1,18 @@
+# Cisco Meraki ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Cisco Meraki.
+
+This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Web Session normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionCiscoMeraki%2FvimWebSessionCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionCiscoMeraki%2FvimWebSessionCiscoMeraki.json)

Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/README.md

@@ -0,0 +1,18 @@
+# Fortinet FortiGate ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Fortinet FortiGate.
+
+This ASIM parser supports filtering and normalizing Fortinet FortiGate logs produced by the Microsoft Sentinel Fortinet connector to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionFortinetFortiGate%2FvimWebSessionFortinetFortiGate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FvimWebSessionFortinetFortiGate%2FvimWebSessionFortinetFortiGate.json)