53 строки
3.8 KiB
Plaintext
53 строки
3.8 KiB
Plaintext
// Title: WatchGuard syslog Parser
|
|
// Version: 1.0
|
|
// Last Updated: 4/22/2021
|
|
// Comment: Inital Release
|
|
//
|
|
// DESCRIPTION:
|
|
// This parser extract some items from Syslog data and display the data in Azure Sentinel logs queries UI
|
|
//
|
|
// USAGE:
|
|
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
|
|
// 2. Click Save->Save as function. A Save as function pane will appear on the right,In the Function name text box, type the Function name WatchGuardFirebox.In the Legacy
|
|
// category text box, type the category name WatchGuardFirebox.
|
|
// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
|
|
//
|
|
// REFERENCES:
|
|
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
|
let fromat_result = (source_arry: dynamic) {
|
|
let source_ips = array_concat(source_arry[0], source_arry[1]);
|
|
iif(source_ips[2] == "", strcat(source_ips[0], source_ips[1]), strcat(source_ips[0], dynamic(","), source_ips[2]))
|
|
};
|
|
Syslog
|
|
| extend
|
|
PolicyName = replace("-00", "", extract(@"\s\(([-\w\s]*?(-00|\sPolicy|DVCP-BOVPN-Allow-in))\)$", 1, SyslogMessage, typeof(string)))
|
|
, PolicyAction = extract("msg_id=\".*?\"\\s(\\w+?)\\s.*(Policy|-00|DVCP-BOVPN-Allow-in)\\)$", 1, SyslogMessage)
|
|
, ProxyName = extract("Proxy.*?: ([\\w\\s]+)", 1, SyslogMessage)
|
|
, Application = extract("app_name=\"(.*?)\"", 1, SyslogMessage)
|
|
, MessageId = extract("msg_id=\"(.*?)\"", 1, SyslogMessage)
|
|
, EventMessage = extract("msg=\"(.*?)\"", 1, SyslogMessage)
|
|
, EventVendor = "Watchguard"
|
|
, EventProduct = "Firebox"
|
|
, EventType="Traffic"
|
|
, EventSchemaVersion="1.0.0"
|
|
, EventProductVersion = extract("Watchguard loggerd (.*?) ", 1, SyslogMessage)
|
|
, SrcUserName = extract("Authentication of .*?\\[(.*?)@.*?\\].*?\\s", 1, SyslogMessage)
|
|
, DvcInboundInterface = extract("msg_id=\"3100-002C\" \\[(.*)\\]", 1, SyslogMessage)
|
|
, InterfaceStatus = extract("Interface link status changed to ([\\w\\s]+)", 1, SyslogMessage)
|
|
, BOVPNInterface = extract("msg_id=\"0207-0001\".*\'(.*)\'", 1, SyslogMessage)
|
|
, BOVPNStatus = extract("BOVPN IPSec tunnel is (.*). local", 1, SyslogMessage)
|
|
, DstGeoCountry = extract("geo_dst=\"(.*?)\"", 1, SyslogMessage)
|
|
, SrcGeoCountry = extract("geo_src=\"(.*?)\"", 1, SyslogMessage)
|
|
, SrcBytes = todouble(extract("sent_bytes=\"(.*?)\"", 1, SyslogMessage))
|
|
, DstBytes = todouble(extract("rcvd_bytes=\"(.*?)\"", 1, SyslogMessage))
|
|
, FireboxManageUser = extract("Management user (.*?)@", 1, SyslogMessage)
|
|
, SrcIpAddr = fromat_result(extract_all(@"(:\s(?P<srcIp1>(\d{1,3}\.){3}\d{1,3}):\d{1,5}\s->\s)|(\s(?P<srcIp2>(\d{1,3}\.){3}\d{1,3})\s(\d{1,3}\.){3}\d{1,3}\s)", dynamic(['srcIp1', 'srcIp2']), SyslogMessage))
|
|
, DstIpAddr = fromat_result(extract_all(@"(:\d{1,5}\s->\s(?P<destIp1>(\d{1,3}\.){3}\d{1,3}):\d{1,5}\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(?P<destIp2>(\d{1,3}\.){3}\d{1,3})\s)", dynamic(['destIp1', 'destIp2']), SyslogMessage))
|
|
, SrcPortNumber = fromat_result(extract_all(@"(:\s(\d{1,3}\.){3}\d{1,3}:(?P<srcPort1>\d{1,5})\s->\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(\d{1,3}\.){3}\d{1,3}\s(?P<srcPort2>\d{1,5})\s)", dynamic(['srcPort1', 'srcPort2']), SyslogMessage))
|
|
, DstPortNumber = fromat_result(extract_all(@"(:\d{1,5}\s->\s(\d{1,3}\.){3}\d{1,3}:(?P<destPort1>\d{1,5})\s)|(\s(\d{1,3}\.){3}\d{1,3}\s(\d{1,3}\.){3}\d{1,3}\s\d{1,5}\s(?P<destPort2>\d{1,5})\s)", dynamic(['destPort1', 'destPort2']), SyslogMessage))
|
|
| extend
|
|
DvcAction = case(PolicyAction has "Allow", "Allow", PolicyAction has "Deny", "Deny", PolicyAction has "Drop", "Drop", "")
|
|
, EventResult = case(PolicyAction has "Allow", "Success", "Failure")
|
|
, EventTimeIngested = ingestion_time()
|
|
, EventCount = toint(1)
|