Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Adding new ASim Network Parser for Cisco Meraki (#5127) 

* Adding new ASim Network Parser for Cisco Meraki

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

Co-authored-by: github-actions[bot] <>
This commit is contained in:
Devika Mehra 2022-05-26 14:02:27 +05:30 коммит произвёл GitHub
Родитель 0aa52bcb5b
Коммит ce4e48d6c7
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
14 изменённых файлов: 1443 добавлений и 145 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

605
.script/tests/KqlvalidationsTests/CustomTables/CiscoMerakiNativePoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,605 @@
{
"Name": "CiscoMerakiNativePoller_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventSchema",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "Dvc",
"Type": "String"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcSubscriptionId",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "String"
},
{
"Name": "NetworkProtocolVersion",
"Type": "String"
},
{
"Name": "NetworkDirection",
"Type": "String"
},
{
"Name": "NetworkIcmpCode",
"Type": "Int"
},
{
"Name": "NetworkIcmpType",
"Type": "String"
},
{
"Name": "NetworkConnectionHistory",
"Type": "String"
},
{
"Name": "DstBytes",
"Type": "Long"
},
{
"Name": "SrcBytes",
"Type": "Long"
},
{
"Name": "NetworkBytes",
"Type": "Long"
},
{
"Name": "DstPackets",
"Type": "Long"
},
{
"Name": "SrcPackets",
"Type": "Long"
},
{
"Name": "NetworkPackets",
"Type": "Long"
},
{
"Name": "NetworkSessionId",
"Type": "String"
},
{
"Name": "DstZone",
"Type": "String"
},
{
"Name": "DstInterfaceName",
"Type": "String"
},
{
"Name": "DstInterfaceGuid",
"Type": "String"
},
{
"Name": "DstMacAddr",
"Type": "String"
},
{
"Name": "DstVlanId",
"Type": "String"
},
{
"Name": "DstSubscriptionId",
"Type": "String"
},
{
"Name": "DstGeoCountry",
"Type": "String"
},
{
"Name": "DstGeoRegion",
"Type": "String"
},
{
"Name": "DstGeoCity",
"Type": "String"
},
{
"Name": "DstGeoLatitude",
"Type": "Double"
},
{
"Name": "DstGeoLongitude",
"Type": "Double"
},
{
"Name": "DstUserId",
"Type": "String"
},
{
"Name": "DstUserIdType",
"Type": "String"
},
{
"Name": "DstUsername",
"Type": "String"
},
{
"Name": "DstUsernameType",
"Type": "String"
},
{
"Name": "DstUserType",
"Type": "String"
},
{
"Name": "DstOriginalUserType",
"Type": "String"
},
{
"Name": "DstAppName",
"Type": "String"
},
{
"Name": "DstAppId",
"Type": "String"
},
{
"Name": "DstAppType",
"Type": "String"
},
{
"Name": "SrcZone",
"Type": "String"
},
{
"Name": "SrcInterfaceName",
"Type": "String"
},
{
"Name": "SrcInterfaceGuid",
"Type": "String"
},
{
"Name": "SrcMacAddr",
"Type": "String"
},
{
"Name": "SrcVlanId",
"Type": "String"
},
{
"Name": "SrcSubscriptionId",
"Type": "String"
},
{
"Name": "SrcGeoCountry",
"Type": "String"
},
{
"Name": "SrcGeoRegion",
"Type": "String"
},
{
"Name": "SrcGeoCity",
"Type": "String"
},
{
"Name": "SrcGeoLatitude",
"Type": "Double"
},
{
"Name": "SrcGeoLongitude",
"Type": "Double"
},
{
"Name": "SrcAppName",
"Type": "String"
},
{
"Name": "SrcAppId",
"Type": "String"
},
{
"Name": "SrcAppType",
"Type": "String"
},
{
"Name": "DstNatIpAddr",
"Type": "String"
},
{
"Name": "DstNatPortNumber",
"Type": "Int"
},
{
"Name": "SrcNatIpAddr",
"Type": "String"
},
{
"Name": "SrcNatPortNumber",
"Type": "Int"
},
{
"Name": "DvcInboundInterface",
"Type": "String"
},
{
"Name": "DvcOutboundInterface",
"Type": "String"
},
{
"Name": "NetworkRuleName",
"Type": "String"
},
{
"Name": "NetworkRuleNumber",
"Type": "Int"
},
{
"Name": "ThreatId",
"Type": "String"
},
{
"Name": "ThreatName",
"Type": "String"
},
{
"Name": "ThreatCategory",
"Type": "String"
},
{
"Name": "ThreatRiskLevel",
"Type": "Int"
},
{
"Name": "ThreatRiskLevelOriginal",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "Int"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "NetworkProtocol",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "SrcHostname",
"Type": "String"
},
{
"Name": "SrcDomain",
"Type": "String"
},
{
"Name": "SrcDomainType",
"Type": "String"
},
{
"Name": "SrcFQDN",
"Type": "String"
},
{
"Name": "SrcDvcId",
"Type": "String"
},
{
"Name": "SrcDvcIdType",
"Type": "String"
},
{
"Name": "SrcDeviceType",
"Type": "String"
},
{
"Name": "SrcUserId",
"Type": "String"
},
{
"Name": "SrcUserIdType",
"Type": "String"
},
{
"Name": "SrcUsername",
"Type": "String"
},
{
"Name": "SrcUsernameType",
"Type": "String"
},
{
"Name": "SrcUserType",
"Type": "String"
},
{
"Name": "SrcOriginalUserType",
"Type": "String"
},
{
"Name": "DstPortNumber",
"Type": "Int"
},
{
"Name": "DstHostname",
"Type": "String"
},
{
"Name": "DstDomain",
"Type": "String"
},
{
"Name": "DstDomainType",
"Type": "String"
},
{
"Name": "DstFQDN",
"Type": "String"
},
{
"Name": "DstDvcId",
"Type": "String"
},
{
"Name": "DstDvcIdType",
"Type": "String"
},
{
"Name": "DstDeviceType",
"Type": "String"
},
{
"Name": "Url",
"Type": "String"
},
{
"Name": "UrlCategory",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "HttpVersion",
"Type": "String"
},
{
"Name": "HttpRequestMethod",
"Type": "String"
},
{
"Name": "HttpStatusCode",
"Type": "String"
},
{
"Name": "HttpContentType",
"Type": "String"
},
{
"Name": "HttpContentFormat",
"Type": "String"
},
{
"Name": "HttpReferrer",
"Type": "String"
},
{
"Name": "HttpUserAgent",
"Type": "String"
},
{
"Name": "UserAgent",
"Type": "String"
},
{
"Name": "HttpRequestXff",
"Type": "String"
},
{
"Name": "HttpRequestTime",
"Type": "Int"
},
{
"Name": "HttpResponseTime",
"Type": "Int"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "FileMD5",
"Type": "String"
},
{
"Name": "FileSHA1",
"Type": "String"
},
{
"Name": "FileSHA256",
"Type": "String"
},
{
"Name": "FileSHA512",
"Type": "String"
},
{
"Name": "Hash",
"Type": "String"
},
{
"Name": "FileHashType",
"Type": "String"
},
{
"Name": "FileSize",
"Type": "Int"
},
{
"Name": "FileContentType",
"Type": "String"
},
{
"Name": "RuleName",
"Type": "String"
},
{
"Name": "RuleNumber",
"Type": "Int"
},
{
"Name": "Rule",
"Type": "String"
},
{
"Name": "NetworkDuration",
"Type": "Int"
},
{
"Name": "IpAddr",
"Type": "String"
}
]
}

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric",
"version": 1
}
}

46
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimNetworkSessionCiscoMeraki",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Network Session ASIM parser for Cisco Meraki",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionCiscoMeraki",
"query": "let NWParser=(disabled:bool=false){\n CiscoMerakiNativePoller_CL\n | where not(disabled)\n | where EventOriginalType == \"IDS Alert\"\n | extend \n EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\"),\n EventResultDetails = \"\"\n | extend \n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n SessionId = NetworkSessionId,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration, \n Dst = DstIpAddr,\n Src = SrcIpAddr,\n User = DstUsername\n | project-away Url*, Http*, File*, Rule*, UserAgent, Hash\n};\nNWParser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
}
]
}
]
}

18
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Cisco Meraki ASIM NetworkSession Normalization Parser
ARM template for ASIM NetworkSession schema parser for Cisco Meraki.
This ASIM parser supports normalizing Cisco Meraki IDS Events produced by the Microsoft Sentinel Cisco Meraki Security Events connector to the ASIM Network Session normalized schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionCiscoMeraki%2FASimNetworkSessionCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionCiscoMeraki%2FASimNetworkSessionCiscoMeraki.json)

324
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json
Просмотреть файл

@ -21,31 +21,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -81,11 +61,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"name": "linkedASimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -101,71 +81,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoft365Defender",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -201,11 +121,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVectraAI",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -221,31 +141,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -278,6 +178,86 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -298,6 +278,66 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -341,11 +381,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -361,11 +401,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -401,11 +441,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftMD4IoT",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -421,31 +461,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -481,11 +501,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -501,11 +521,31 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"name": "linkedvimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {

2
Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*'"
}

18
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Cisco Meraki ASIM NetworkSession Normalization Parser
ARM template for ASIM NetworkSession schema parser for Cisco Meraki.
This ASIM parser supports normalizing Cisco Meraki IDS Events produced by the Microsoft Sentinel Cisco Meraki Security Events connector to the ASIM Network Session normalized schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionCiscoMeraki%2FvimNetworkSessionCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionCiscoMeraki%2FvimNetworkSessionCiscoMeraki.json)

46
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimNetworkSessionCiscoMeraki",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Network Session ASIM parser for Cisco Meraki",
"category": "ASIM",
"FunctionAlias": "vimNetworkSessionCiscoMeraki",
"query": "let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CiscoMerakiNativePoller_CL\n | where not(disabled)\n // Pre-filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventOriginalType == \"IDS Alert\"\n and (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n and ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any),\n temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\", \n (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" , \n temp_isMatchSrcHostname, \"SrcHostname\", \n temp_isMatchDstHostname, \"DstHostname\", \n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend \n EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\"),\n EventResultDetails = \"\"\n | extend \n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n SessionId = NetworkSessionId,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration, \n Dst = DstIpAddr,\n Src = SrcIpAddr,\n User = DstUsername\n | project-away Url*, Http*, File*, Rule*, UserAgent, Hash\n };\nNWParser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}
}
]
}
]
}

2
Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
Просмотреть файл

@ -29,6 +29,7 @@ Parsers:
- _ASim_NetworkSession_AzureFirewall
- _ASim_NetworkSession_AzureNSG
- _ASim_NetworkSession_VectraAI
- _ASim_NetworkSession_CiscoMeraki
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
@ -46,5 +47,6 @@ ParserQuery: |
, ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))
, ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))
, ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))
, ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
};
NetworkSessionsGeneric

45
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoMeraki.yaml Normal file
Просмотреть файл

@ -0,0 +1,45 @@
Parser:
Title: Network Session ASIM parser for Cisco Meraki
Version: '1.0'
LastUpdated: May 20, 2022
Product:
Name: Cisco Meraki
Normalization:
Schema: NetworkSession
Version: '0.2.2'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: Organization Application Security Events
Link: https://developer.cisco.com/meraki/api-latest/#!get-organization-appliance-security-events
Description: |
This ASIM parser supports normalizing Cisco Meraki IDS Events produced by the Microsoft Sentinel Cisco Meraki Security Events connector to the ASIM Network Session normalized schema.
ParserName: ASimNetworkSessionCiscoMeraki
EquivalentBuiltInParser: _ASim_NetworkSession_CiscoMeraki
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let NWParser=(disabled:bool=false){
CiscoMerakiNativePoller_CL
| where not(disabled)
| where EventOriginalType == "IDS Alert"
| extend
EventResult = iff(DvcAction == "Deny", "Failure", "Success"),
EventResultDetails = ""
| extend
InnerVlanId = SrcVlanId,
OuterVlanId = DstVlanId,
SessionId = NetworkSessionId,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Duration = NetworkDuration,
Dst = DstIpAddr,
Src = SrcIpAddr,
User = DstUsername
| project-away Url*, Http*, File*, Rule*, UserAgent, Hash
};
NWParser (disabled)

4
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
Просмотреть файл

@ -28,7 +28,8 @@ Parsers:
- _Im_NetworkSession_AWSVPC
- _Im_NetworkSession_AzureFirewall
- _Im_NetworkSession_AzureNSG
- _Im_NetworkSession_VectraAI
- _Im_NetworkSession_VectraAI
- _Im_NetworkSession_CiscoMeraki
ParserParams:
- Name: starttime
Type: datetime
@ -75,5 +76,6 @@ ParserQuery: |
, vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))
, vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))
, vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))
, vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
};
NetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)

112
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoMeraki.yaml Normal file
Просмотреть файл

@ -0,0 +1,112 @@
Parser:
Title: Network Session ASIM parser for Cisco Meraki
Version: '1.0'
LastUpdated: May 20, 2022
Product:
Name: Cisco Meraki
Normalization:
Schema: NetworkSession
Version: '0.2.2'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: Organization Application Security Events
Link: https://developer.cisco.com/meraki/api-latest/#!get-organization-appliance-security-events
Description: |
This ASIM parser supports normalizing Cisco Meraki IDS Events produced by the Microsoft Sentinel Cisco Meraki Security Events connector to the ASIM Network Session normalized schema.
ParserName: vimNetworkSessionCiscoMeraki
EquivalentBuiltInParser: _Im_NetworkSession_CiscoMeraki
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: ipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstportnumber
Type: int
Default: int(null)
- Name: hostname_has_any
Type: dynamic
Default: dynamic([])
- Name: dvcaction
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let NWParser = (
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
dstipaddr_has_any_prefix:dynamic=dynamic([]),
ipaddr_has_any_prefix:dynamic=dynamic([]),
dstportnumber:int=int(null),
hostname_has_any:dynamic=dynamic([]),
dvcaction:dynamic=dynamic([]),
eventresult:string='*',
disabled:bool=false)
{
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
CiscoMerakiNativePoller_CL
| where not(disabled)
// Pre-filtering
| where
(isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and EventOriginalType == "IDS Alert"
and (isnull(dstportnumber) or (DstPortNumber == dstportnumber))
and ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))
and ((eventresult == "*") or (EventResult == eventresult))
| extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any),
temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", // match not requested
(temp_isSrcMatch and temp_isDstMatch), "Both", // has to be checked before the individual
temp_isSrcMatch, "SrcIpAddr",
temp_isDstMatch, "DstIpAddr",
"No match"
)
| where ASimMatchingIpAddr != "No match"
| extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any),
temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)
| extend ASimMatchingHostname = case(
array_length(hostname_has_any) == 0 , "-",
(temp_isMatchSrcHostname and temp_isMatchDstHostname), "Both" ,
temp_isMatchSrcHostname, "SrcHostname",
temp_isMatchDstHostname, "DstHostname",
"No match"
)
| where ASimMatchingHostname != "No match"
| extend
EventResult = iff(DvcAction == "Deny", "Failure", "Success"),
EventResultDetails = ""
| extend
InnerVlanId = SrcVlanId,
OuterVlanId = DstVlanId,
SessionId = NetworkSessionId,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
Duration = NetworkDuration,
Dst = DstIpAddr,
Src = SrcIpAddr,
User = DstUsername
| project-away Url*, Http*, File*, Rule*, UserAgent, Hash
};
NWParser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)

52
Sample Data/CiscoMeraki-RestAPI.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
[
{
"ts": "2020-03-20T16:00:10.144989Z",
"eventType": "File Scanned",
"clientName": "COMPUTER-M-V78J",
"clientMac": "10:dd:b1:eb:88:f8",
"clientIp": "192.168.128.2",
"srcIp": "192.168.128.2",
"destIp": "119.192.233.48",
"protocol": "http",
"uri": "http://www.favorite-icons.com/program/FavoriteIconsUninstall.exe",
"canonicalName": "PUA.Win.Dropper.Kraddare::1201",
"destinationPort": 80,
"fileHash": "3ec1b9a95fe62aa25fc959643a0f227b76d253094681934daaf628d3574b3463",
"fileType": "MS_EXE",
"fileSizeBytes": 193688,
"disposition": "Malicious",
"action": "Blocked"
},
{
"ts": "2018-02-11T00:00:00.090210Z",
"eventType": "IDS Alert",
"deviceMac": "00:18:0a:01:02:03",
"clientMac": "A1:B2:C3:D4:E5:F6",
"srcIp": "1.2.3.4:34195",
"destIp": "10.20.30.40:80",
"protocol": "tcp/ip",
"priority": "2",
"classification": "4",
"blocked": true,
"message": "SERVER-WEBAPP JBoss JMX console access attempt",
"signature": "1:21516:9",
"sigSource": "",
"ruleId": "meraki:intrusion/snort/GID/1/SID/26267"
},
{
"ts": "2018-02-11T00:00:00.090210Z",
"eventType": "IDS Alert",
"deviceMac": "00:18:0a:01:02:03",
"clientMac": "A1:B2:C3:D4:E5:F6",
"srcIp": "1.2.3.4:56023",
"destIp": "10.20.30.40:80",
"protocol": "tcp/ip",
"priority": "1",
"classification": "33",
"blocked": true,
"message": "POLICY-OTHER Adobe ColdFusion admin interface access attempt",
"signature": "1:25975:2",
"sigSource": "",
"ruleId": "meraki:intrusion/snort/GID/1/SID/26267"
}
]

312
Sample Data/Custom/CiscoMerakiNativePoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,312 @@
[
{
"TimeGenerated [Local Time]": "5/16/2022, 5:18:44.267 PM",
"EventCount": 1,
"EventSchemaVersion": "0.2.2",
"EventSchema": "NetworkSession",
"DvcAction": "Allow",
"EventMessage": "SERVER-OTHER Apache Log4j logging remote code execution attempt",
"EventSeverity": "Medium",
"EventStartTime [Local Time]": "4/20/2022, 8:16:20.213 PM",
"EventEndTime [Local Time]": "4/20/2022, 8:16:20.213 PM",
"DvcMacAddr": "ac:17:c8:21:2e:60",
"Dvc": "Meraki MX",
"DvcZone": "",
"EventProductVersion": "",
"DvcOriginalAction": "",
"DvcInterface": "",
"DvcSubscriptionId": "",
"EventOriginalSeverity": 1,
"EventOriginalSubType": "",
"NetworkApplicationProtocol": "",
"NetworkProtocolVersion": "",
"NetworkDirection": "",
"NetworkIcmpCode": "",
"NetworkIcmpType": "",
"NetworkConnectionHistory": "",
"DstBytes": "",
"SrcBytes": "",
"NetworkBytes": "",
"DstPackets": "",
"SrcPackets": "",
"NetworkPackets": "",
"NetworkSessionId": "",
"DstZone": "",
"DstInterfaceName": "",
"DstInterfaceGuid": "",
"DstMacAddr": "",
"DstVlanId": "",
"DstSubscriptionId": "",
"DstGeoCountry": "",
"DstGeoRegion": "",
"DstGeoCity": "",
"DstGeoLatitude": "",
"DstGeoLongitude": "",
"DstUserId": "",
"DstUserIdType": "",
"DstUsername": "",
"DstUsernameType": "",
"DstUserType": "",
"DstOriginalUserType": "",
"DstAppName": "",
"DstAppId": "",
"DstAppType": "",
"SrcZone": "",
"SrcInterfaceName": "",
"SrcInterfaceGuid": "",
"SrcMacAddr": "c2:ef:54:0e:1c:b6",
"SrcVlanId": "",
"SrcSubscriptionId": "",
"SrcGeoCountry": "",
"SrcGeoRegion": "",
"SrcGeoCity": "",
"SrcGeoLatitude": "",
"SrcGeoLongitude": "",
"SrcAppName": "",
"SrcAppId": "",
"SrcAppType": "",
"DstNatIpAddr": "",
"DstNatPortNumber": "",
"SrcNatIpAddr": "",
"SrcNatPortNumber": "",
"DvcInboundInterface": "",
"DvcOutboundInterface": "",
"NetworkRuleName": "meraki:intrusion/snort/GID/1/SID/300057",
"NetworkRuleNumber": "",
"ThreatId": "",
"ThreatName": "",
"ThreatCategory": "",
"ThreatRiskLevel": "",
"ThreatRiskLevelOriginal": "",
"EventType": "Notable",
"EventSubType": "",
"EventResult": "NA",
"EventResultDetails": "NA",
"EventOriginalType": "IDS Alert",
"EventProduct": "Meraki MX",
"EventVendor": "Cisco",
"DvcIpAddr": "",
"DvcHostname": "",
"DvcDomain": "",
"DvcDomainType": "",
"DvcOs": "",
"DvcOsVersion": "",
"AdditionalFields": "classification=9;signature=1:300057:3;",
"SrcIpAddr": "10.135.100.38",
"SrcPortNumber": 55835,
"DstIpAddr": "10.184.209.1",
"NetworkProtocol": "TCP",
"EventOriginalUid": "",
"EventReportUrl": "",
"DvcFQDN": "",
"DvcId": "",
"DvcIdType": "",
"SrcHostname": "",
"SrcDomain": "",
"SrcDomainType": "",
"SrcFQDN": "",
"SrcDvcId": "",
"SrcDvcIdType": "",
"SrcDeviceType": "",
"SrcUserId": "",
"SrcUserIdType": "",
"SrcUsername": "",
"SrcUsernameType": "",
"SrcUserType": "",
"SrcOriginalUserType": "",
"DstPortNumber": 80,
"DstHostname": "",
"DstDomain": "",
"DstDomainType": "",
"DstFQDN": "",
"DstDvcId": "",
"DstDvcIdType": "",
"DstDeviceType": "",
"Url": "",
"UrlCategory": "",
"UrlOriginal": "",
"HttpVersion": "",
"HttpRequestMethod": "",
"HttpStatusCode": "",
"HttpContentType": "",
"HttpContentFormat": "",
"HttpReferrer": "",
"HttpUserAgent": "",
"UserAgent": "",
"HttpRequestXff": "",
"HttpRequestTime": "",
"HttpResponseTime": "",
"FileName": "",
"FileMD5": "",
"FileSHA1": "",
"FileSHA256": "",
"FileSHA512": "",
"Hash": "",
"FileHashType": "SHA256",
"FileSize": "",
"FileContentType": "",
"RuleName": "",
"RuleNumber": "",
"Rule": "meraki:intrusion/snort/GID/1/SID/300057",
"NetworkDuration": "",
"IpAddr": "",
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Type": "CiscoMerakiNativePoller_CL",
"_ResourceId": ""
},
{
"TimeGenerated [Local Time]": "5/16/2022, 12:02:01.000 PM",
"EventCount": 1,
"EventSchemaVersion": "",
"EventSchema": "",
"DvcAction": "Deny",
"EventMessage": "",
"EventSeverity": "High",
"EventStartTime [Local Time]": "5/16/2022, 12:02:01.000 PM",
"EventEndTime [Local Time]": "5/16/2022, 12:02:01.000 PM",
"DvcMacAddr": "",
"Dvc": "Meraki MX",
"DvcZone": "",
"EventProductVersion": "",
"DvcOriginalAction": "",
"DvcInterface": "",
"DvcSubscriptionId": "",
"EventOriginalSeverity": "Malicious",
"EventOriginalSubType": "",
"NetworkApplicationProtocol": "http",
"NetworkProtocolVersion": "",
"NetworkDirection": "",
"NetworkIcmpCode": "",
"NetworkIcmpType": "",
"NetworkConnectionHistory": "",
"DstBytes": "",
"SrcBytes": "",
"NetworkBytes": "",
"DstPackets": "",
"SrcPackets": "",
"NetworkPackets": "",
"NetworkSessionId": "",
"DstZone": "",
"DstInterfaceName": "",
"DstInterfaceGuid": "",
"DstMacAddr": "",
"DstVlanId": "",
"DstSubscriptionId": "",
"DstGeoCountry": "",
"DstGeoRegion": "",
"DstGeoCity": "",
"DstGeoLatitude": "",
"DstGeoLongitude": "",
"DstUserId": "",
"DstUserIdType": "",
"DstUsername": "",
"DstUsernameType": "",
"DstUserType": "",
"DstOriginalUserType": "",
"DstAppName": "",
"DstAppId": "",
"DstAppType": "",
"SrcZone": "",
"SrcInterfaceName": "",
"SrcInterfaceGuid": "",
"SrcMacAddr": "10:dd:b1:eb:88:f8",
"SrcVlanId": "",
"SrcSubscriptionId": "",
"SrcGeoCountry": "",
"SrcGeoRegion": "",
"SrcGeoCity": "",
"SrcGeoLatitude": "",
"SrcGeoLongitude": "",
"SrcAppName": "",
"SrcAppId": "",
"SrcAppType": "",
"DstNatIpAddr": "",
"DstNatPortNumber": "",
"SrcNatIpAddr": "",
"SrcNatPortNumber": "",
"DvcInboundInterface": "",
"DvcOutboundInterface": "",
"NetworkRuleName": "",
"NetworkRuleNumber": "",
"ThreatId": "",
"ThreatName": "",
"ThreatCategory": "",
"ThreatRiskLevel": "",
"ThreatRiskLevelOriginal": "",
"EventType": "",
"EventSubType": "",
"EventResult": "NA",
"EventResultDetails": "NA",
"EventOriginalType": "File Scanned",
"EventProduct": "Meraki MX",
"EventVendor": "Cisco",
"DvcIpAddr": "",
"DvcHostname": "",
"DvcDomain": "",
"DvcDomainType": "",
"DvcOs": "",
"DvcOsVersion": "",
"AdditionalFields": "canonicalName=PUA.Win.Dropper.Kraddare::1201;",
"SrcIpAddr": "188.67.244.253",
"SrcPortNumber": "",
"DstIpAddr": "225.44.53.155",
"NetworkProtocol": "",
"EventOriginalUid": "",
"EventReportUrl": "",
"DvcFQDN": "",
"DvcId": "",
"DvcIdType": "",
"SrcHostname": "COMPUTER-M-V78J",
"SrcDomain": "",
"SrcDomainType": "",
"SrcFQDN": "",
"SrcDvcId": "",
"SrcDvcIdType": "",
"SrcDeviceType": "",
"SrcUserId": "",
"SrcUserIdType": "",
"SrcUsername": "",
"SrcUsernameType": "",
"SrcUserType": "",
"SrcOriginalUserType": "",
"DstPortNumber": 80,
"DstHostname": "",
"DstDomain": "",
"DstDomainType": "",
"DstFQDN": "",
"DstDvcId": "",
"DstDvcIdType": "",
"DstDeviceType": "",
"Url": "http://www.favorite-icons.com/program/FavoriteIconsUninstall.exe",
"UrlCategory": "",
"UrlOriginal": "",
"HttpVersion": "",
"HttpRequestMethod": "",
"HttpStatusCode": "",
"HttpContentType": "",
"HttpContentFormat": "",
"HttpReferrer": "",
"HttpUserAgent": "",
"UserAgent": "",
"HttpRequestXff": "",
"HttpRequestTime": "",
"HttpResponseTime": "",
"FileName": "",
"FileMD5": "",
"FileSHA1": "",
"FileSHA256": "",
"FileSHA512": "",
"Hash": "3ec1b9a95fe62aa25fc959643a0f227b76d253094681934daaf628d3574b3463",
"FileHashType": "SHA256",
"FileSize": 193688,
"FileContentType": "MS_EXE",
"RuleName": "",
"RuleNumber": "",
"Rule": "",
"NetworkDuration": "",
"IpAddr": "",
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Type": "CiscoMerakiNativePoller_CL",
"_ResourceId": ""
}
]