194 строки
8.1 KiB
YAML
194 строки
8.1 KiB
YAML
id: 1c0eafd3-9b95-4bad-bf1c-28a0d0145e42
|
|
Function:
|
|
Title: Parser for IllumioCoreEvent
|
|
Version: '1.0.0'
|
|
LastUpdated: '2023-08-23'
|
|
Category: Microsoft Sentinel Parser
|
|
FunctionName: IllumioCoreEvent
|
|
FunctionAlias: IllumioCoreEvent
|
|
FunctionQuery: |
|
|
CommonSecurityLog
|
|
| where DeviceVendor =~ 'Illumio'
|
|
| extend EventCount = int(1)
|
|
| extend EventType = coalesce(
|
|
column_ifexists("DeviceEventCategory", ""),
|
|
extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),
|
|
""
|
|
)
|
|
,EventResult = coalesce(
|
|
column_ifexists("EventOutcome", ""),
|
|
extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),
|
|
""
|
|
)
|
|
,EventOriginalResultDetails = coalesce(
|
|
column_ifexists("Reason", ""),
|
|
extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),
|
|
""
|
|
),
|
|
SchemaVersion = coalesce(
|
|
tostring(column_ifexists("FieldDeviceCustomNumber2", long(null))),
|
|
tostring(column_ifexists("DeviceCustomNumber2",long(null)))
|
|
),
|
|
EventStartTime = coalesce(
|
|
StartTime,
|
|
extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),
|
|
todatetime(ReceiptTime),
|
|
datetime(null)
|
|
),
|
|
EventEndTime = coalesce(
|
|
EndTime,
|
|
extract(@'end=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),
|
|
todatetime(ReceiptTime),
|
|
datetime(null)
|
|
)
|
|
,EventOriginalUid = case(DeviceCustomString1Label =~ 'event_href', DeviceCustomString1, '')
|
|
,DstVulns = case(DeviceCustomString1Label =~ 'dst_vulns', DeviceCustomString1, '')
|
|
,ResourceChanges = case(DeviceCustomString2Label =~ 'resource_changes', DeviceCustomString2, '')
|
|
,State = case(DeviceCustomString2Label =~ 'state', DeviceCustomString2, '')
|
|
,Notifications = case(DeviceCustomString4Label =~ 'notifications', DeviceCustomString4, '')
|
|
,DstLabels = case(DeviceCustomString4Label =~ 'dst_labels', DeviceCustomString4, '')
|
|
,DstHref = case(DeviceCustomString6Label =~ 'dst_href', DeviceCustomString6, '')
|
|
| project-rename EventVendor=DeviceVendor
|
|
, EventProduct=DeviceProduct
|
|
, EventProductVersion=DeviceVersion
|
|
, EventSubType=DeviceEventClassID
|
|
, EventSeverity=LogSeverity
|
|
, DvcAction=DeviceAction
|
|
, NetworkDirection=CommunicationDirection
|
|
, NetworkProtocol=Protocol
|
|
, UrlOriginal=RequestURL
|
|
, HttpRequestMethod=RequestMethod
|
|
, EventOriginalResult=Activity
|
|
, DstHostname=DestinationHostName
|
|
, DstIpAddr=DestinationIP
|
|
, DstPortNumber=DestinationPort
|
|
, ActingProcessName=DestinationProcessName
|
|
, DstUsername=DestinationUserName
|
|
, Dvc=DeviceName
|
|
, SrcBytes=SentBytes
|
|
, EventMessage=Message
|
|
, DstBytes=ReceivedBytes
|
|
, SrcIpAddr=SourceIP
|
|
| project-away AdditionalExtensions
|
|
, DeviceCustomNumber1
|
|
, DeviceCustomNumber1Label
|
|
, DeviceCustomNumber2
|
|
, DeviceCustomNumber2Label
|
|
, DeviceCustomString1
|
|
, DeviceCustomString1Label
|
|
, DeviceCustomString2
|
|
, DeviceCustomString2Label
|
|
, DeviceCustomString3
|
|
, DeviceCustomString3Label
|
|
, DeviceCustomString4
|
|
, DeviceCustomString4Label
|
|
, DeviceCustomString5
|
|
, DeviceCustomString5Label
|
|
, DeviceCustomString6
|
|
, DeviceCustomString6Label
|
|
, DeviceCustomDate1Label
|
|
, DeviceCustomDate1
|
|
, DeviceCustomDate2Label
|
|
, DeviceCustomDate2
|
|
, FlexString1Label
|
|
, FlexString1
|
|
, FlexString2Label
|
|
, FlexString2
|
|
, DeviceCustomFloatingPoint1Label
|
|
, DeviceCustomFloatingPoint1
|
|
, DeviceCustomFloatingPoint2Label
|
|
, DeviceCustomFloatingPoint2
|
|
, DeviceCustomIPv6Address1Label
|
|
, DeviceCustomIPv6Address1
|
|
, DeviceCustomIPv6Address2Label
|
|
, DeviceCustomIPv6Address2
|
|
, DeviceCustomIPv6Address3Label
|
|
, DeviceCustomIPv6Address3
|
|
, SimplifiedDeviceAction
|
|
, OriginalLogSeverity
|
|
, ApplicationProtocol
|
|
, DestinationDnsDomain
|
|
, DestinationServiceName
|
|
, DestinationTranslatedAddress
|
|
, DestinationTranslatedPort
|
|
, DeviceDnsDomain
|
|
, DeviceExternalID
|
|
, DeviceFacility
|
|
, DeviceInboundInterface
|
|
, DeviceNtDomain
|
|
, DeviceOutboundInterface
|
|
, DevicePayloadId
|
|
, ProcessName
|
|
, DeviceTranslatedAddress
|
|
, DestinationMACAddress
|
|
, DestinationNTDomain
|
|
, DestinationProcessId
|
|
, DestinationUserPrivileges
|
|
, DeviceTimeZone
|
|
, DestinationUserID
|
|
, DeviceAddress
|
|
, DeviceMacAddress
|
|
, ProcessID
|
|
, EndTime
|
|
, ExternalID
|
|
, FileCreateTime
|
|
, FileHash
|
|
, FileID
|
|
, FileModificationTime
|
|
, FilePath
|
|
, FilePermission
|
|
, FileType
|
|
, FileName
|
|
, FileSize
|
|
, OldFileCreateTime
|
|
, OldFileHash
|
|
, OldFileID
|
|
, OldFileModificationTime
|
|
, OldFileName
|
|
, OldFilePath
|
|
, OldFilePermission
|
|
, OldFileSize
|
|
, OldFileType
|
|
, ReceiptTime
|
|
, RequestClientApplication
|
|
, RequestContext
|
|
, RequestCookies
|
|
, SourceHostName
|
|
, SourceMACAddress
|
|
, SourceNTDomain
|
|
, SourceDnsDomain
|
|
, SourceServiceName
|
|
, SourceTranslatedAddress
|
|
, SourceTranslatedPort
|
|
, SourceProcessId
|
|
, SourceUserPrivileges
|
|
, SourceProcessName
|
|
, SourcePort
|
|
, StartTime
|
|
, SourceUserID
|
|
, SourceUserName
|
|
, DeviceCustomIPv6Address4
|
|
, DeviceCustomIPv6Address4Label
|
|
, DeviceCustomFloatingPoint3
|
|
, DeviceCustomFloatingPoint3Label
|
|
, DeviceCustomFloatingPoint4
|
|
, DeviceCustomFloatingPoint4Label
|
|
, DeviceCustomNumber3
|
|
, DeviceCustomNumber3Label
|
|
, FlexDate1
|
|
, FlexDate1Label
|
|
, FlexNumber1
|
|
, FlexNumber1Label
|
|
, FlexNumber2
|
|
, FlexNumber2Label
|
|
, RemoteIP
|
|
, RemotePort
|
|
, MaliciousIP
|
|
, ThreatSeverity
|
|
, IndicatorThreatType
|
|
, ThreatDescription
|
|
, ThreatConfidence
|
|
, ReportReferenceLink
|
|
, MaliciousIPLongitude
|
|
, MaliciousIPLatitude
|
|
, MaliciousIPCountry |