93 строки
5.5 KiB
Plaintext
93 строки
5.5 KiB
Plaintext
// Epic SIEM
|
|
// Last Updated Date: July 16, 2020
|
|
//
|
|
// This parser parses the CommonSecurityLog source for events from the Epic SIEM platform.
|
|
// https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_epic_securtiy_siem_overview.html?cp=SS42VS_7.3.3
|
|
//
|
|
// Parser Notes:
|
|
// 1. This parser assumes logs are collected into the CommonSecurityLog table using a Syslog solution and that the logs have been configured to send CEF logs to the CSE table in Azure Log Analytics.
|
|
// 2. Currently at this time, there is no schema available for this log source.
|
|
//
|
|
// Usage Instruction:
|
|
// Paste below query in log analytics, click on "Save" button and select as "Function" from drop down by specifying function name and alias as "Epic" or a variant.
|
|
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Epic_CL | take 10).
|
|
//
|
|
//
|
|
|
|
|
|
CommonSecurityLog
|
|
| where DeviceVendor == "Epic"
|
|
| extend AdditionalExtensions = replace(@'\^', @'/', AdditionalExtensions),
|
|
SourceUserName = replace(@'\^', @'/', SourceUserName)
|
|
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions),
|
|
workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions),
|
|
end = coalesce(
|
|
extract("end=(.*?);", 1, AdditionalExtensions),
|
|
tostring(column_ifexists("EndTime", ""))
|
|
),
|
|
flag = extract("flag=(.*?);", 1, AdditionalExtensions),
|
|
AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions),
|
|
BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions),
|
|
CSN = extract("CSN=(.*?);", 1, AdditionalExtensions),
|
|
DAT = extract("DAT=(.*?);", 1, AdditionalExtensions),
|
|
DEP = extract("DEP=(.*?);", 1, AdditionalExtensions),
|
|
PATIENT = extract("PATIENT=(.*?);", 1, AdditionalExtensions),
|
|
BTGNOACCESSREAS = extract("BTGNOACCESSREAS=(.*?);", 1, AdditionalExtensions),
|
|
AUTHSOURCE = extract("AUTHSOURCE=(.*?);", 1, AdditionalExtensions),
|
|
LOGINCONTEXT = extract("LOGINCONTEXT=(.*?);", 1, AdditionalExtensions),
|
|
LOGINDEVICE = extract("LOGINDEVICE=(.*?);", 1, AdditionalExtensions),
|
|
LOGINLDAPID = extract("LOGINLDAPID=(.*?);", 1, AdditionalExtensions),
|
|
LOGINREVAL = extract("LOGINREVAL=(.*?);", 1, AdditionalExtensions),
|
|
NEWDEPARTMENT = extract("NEWDEPARTMENT=(.*?);", 1, AdditionalExtensions),
|
|
PREVDEPARTMENT = extract("PREVDEPARTMENT=(.*?);", 1, AdditionalExtensions),
|
|
HKUAPVER = extract("HKUAPVER=(.*?);", 1, AdditionalExtensions),
|
|
HKUDVCID = extract("HKUDVCID=(.*?);", 1, AdditionalExtensions),
|
|
HKUOSNAM = extract("HKUOSNAM=(.*?);", 1, AdditionalExtensions),
|
|
HKUOSVER = extract("HKUOSVER=(.*?);", 1, AdditionalExtensions),
|
|
LOGINERROR = extract("LOGINERROR=(.*?);", 1, AdditionalExtensions),
|
|
ERRMSG = extract("ERRMSG=(.*?);", 1, AdditionalExtensions),
|
|
PWREASON = extract("PWREASON=(.*?);", 1, AdditionalExtensions),
|
|
SUCCESS = extract("SUCCESS=(.*?);", 1, AdditionalExtensions),
|
|
UID = extract("UID=(.*?);", 1, AdditionalExtensions),
|
|
src_dest_IPs = extract("IP=(.*?);", 1, AdditionalExtensions),
|
|
PRTCTDSRCUSERID = extract("PRTCTDSRCUSERID=(.*?);", 1, AdditionalExtensions),
|
|
WEBLGAPP = extract("WEBLGAPP=(.*?);", 1, AdditionalExtensions),
|
|
SOURCE = extract("SOURCE=(.*?);", 1, AdditionalExtensions),
|
|
APIID = extract("APIID=(.*?);", 1, AdditionalExtensions),
|
|
APPLICATIONID = extract("APPLICATIONID=(.*?);", 1, AdditionalExtensions),
|
|
INSTANCEURN = extract("INSTANCEURN=(.*?);", 1, AdditionalExtensions),
|
|
SERVICECATEGORY = extract("SERVICECATEGORY=(.*?);", 1, AdditionalExtensions),
|
|
SERVICEID = extract("SERVICEID=(.*?);", 1, AdditionalExtensions),
|
|
SERVICEMSGID = extract("SERVICEMSGID=(.*?);", 1, AdditionalExtensions),
|
|
SERVICENAME = extract("SERVICENAME=(.*?);", 1, AdditionalExtensions),
|
|
SERVICETYPE = extract("SERVICETYPE=(.*?);", 1, AdditionalExtensions),
|
|
SERVICEUSER = extract("SERVICEUSER=(.*?);", 1, AdditionalExtensions),
|
|
SERVICEUSERTYP = extract("SERVICEUSERTYP=(.*?);", 1, AdditionalExtensions),
|
|
CLIENTNAME = extract("CLIENTNAME=(.*?);", 1, AdditionalExtensions),
|
|
LOGINREASON = extract("LOGINREASON=(.*?);", 1, AdditionalExtensions),
|
|
OSUSR = extract("OSUSR=(.*?);", 1, AdditionalExtensions),
|
|
ROLE = extract("ROLE=(.*?);", 1, AdditionalExtensions),
|
|
USERJOB = extract("USERJOB=(.*?);", 1, AdditionalExtensions),
|
|
E3MID = extract("E3MID=(.*?);", 1, AdditionalExtensions),
|
|
MASKMODE = extract("MASKMODE=(.*?);", 1, AdditionalExtensions),
|
|
APP = extract("APP=(.*?);", 1, AdditionalExtensions),
|
|
CTXT = extract("CTXT=(.*?);", 1, AdditionalExtensions),
|
|
E5FID = extract("E5FID=(.*?);", 1, AdditionalExtensions),
|
|
FILENAME = extract("FILENAME=(.*?);", 1, AdditionalExtensions),
|
|
ACTNDTL = extract("ACTNDTL=(.*?);", 1, AdditionalExtensions),
|
|
AUDACTN = extract("AUDACTN=(.*?);", 1, AdditionalExtensions),
|
|
DLGLINE = extract("DLGLINE=(.*?);", 1, AdditionalExtensions),
|
|
PULID = extract("PULID=(.*?);", 1, AdditionalExtensions),
|
|
TIMEOUT = extract("TIMEOUT=(.*?);", 1, AdditionalExtensions),
|
|
NEWUSER = extract("NEWUSER=(.*?);", 1, AdditionalExtensions),
|
|
PREVUSER = extract("PREVUSER=(.*?);", 1, AdditionalExtensions),
|
|
MYACCT = extract("MYACCT=(.*?);", 1, AdditionalExtensions),
|
|
MYCACCT = extract("MYCACCT=(.*?);", 1, AdditionalExtensions),
|
|
EAR = extract("EAR=(.*?);", 1, AdditionalExtensions),
|
|
SSUPATLNAME = extract("SSUPATLNAME=(.*?);", 1, AdditionalExtensions),
|
|
MSGID = extract("MSGID=(.*?);", 1, AdditionalExtensions),
|
|
SIGNUPMETHOD = extract("SIGNUPMETHOD=(.*?);", 1, AdditionalExtensions),
|
|
PWDATTEMPTCNT = extract("PWDATTEMPTCNT=(.*?);", 1, AdditionalExtensions)
|
|
| extend AllIPs = extract_all(@"(?P<ecIP>.*?)/(?P<wsIP>.*)", dynamic(['ecIP','wsIP']), src_dest_IPs)
|
|
| extend ecIP = tostring(AllIPs[0][0])
|
|
| extend wsIP = tostring(AllIPs[0][1]) |