Skip to content

Commit

Permalink
Merge pull request #9981 from Azure/Palo-Alto-Network-Parser-Update
Browse files Browse the repository at this point in the history
DeviceAction Field Update for Palo alto
  • Loading branch information
anki-narravula authored Mar 4, 2024
2 parents 1082841 + a30fab4 commit 64684b2
Show file tree
Hide file tree
Showing 11 changed files with 187 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n",
"version": 1,
"functionParameters": "pack:bool=False"
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for Palo Alto PanOS",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionPaloAltoCEF",
"query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)",
"query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
Expand Down
Loading

0 comments on commit 64684b2

Please sign in to comment.