diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index 84c697a6700..2b17cf818c2 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser", "category": "ASIM", "FunctionAlias": "ASimNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json index 92534338e08..6bb0362af18 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser for Palo Alto PanOS", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionPaloAltoCEF", - "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)", + "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json new file mode 100644 index 00000000000..72891cf77fb --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimNetworkSessionPaloAltoCortexDataLake", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n DstUserId = DestinationUserID,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/README.md new file mode 100644 index 00000000000..6c3d655fa57 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/README.md @@ -0,0 +1,18 @@ +# Palo Alto Cortex Data Lake ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Palo Alto Cortex Data Lake. + +This ASIM parser supports normalizing NetworkSession logs from Palo Alto Cortex Data Lake to the ASIM NetworkSession normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionPaloAltoCortexDataLake%2FASimNetworkSessionPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionPaloAltoCortexDataLake%2FASimNetworkSessionPaloAltoCortexDataLake.json) diff --git a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json index 018ce3d14be..e188f8ef184 100644 --- a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json @@ -478,6 +478,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionPaloAltoCortexDataLake", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -1058,6 +1078,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionPaloAltoCortexDataLake", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index 3a2bb703989..2a700a63b92 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json index b0826534d3f..29a25a55c27 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser for Palo Alto PanOS", "category": "ASIM", "FunctionAlias": "vimNetworkSessionPaloAltoCEF", - "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n| where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n and (array_length(hostname_has_any)==0)\n // dvcaction - post filterring\n and (eventresult==\"*\" or (DeviceAction==\"allow\" and eventresult==\"Success\") or (eventresult==\"Failure\"))\n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\n EventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\"\n , DstBytes=tolong(ReceivedBytes) \n , SrcBytes=tolong(SentBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.3\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n | extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n// Action post filtering\n| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Rule=NetworkRuleName,\n Dst=DstIpAddr,\n // Host=DstHostname,\n User=DstUsername,\n Duration=NetworkDuration,\n SessionId=NetworkSessionId,\n EventEndTime =EventStartTime,\n Src=SrcIpAddr\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n| where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n and (array_length(hostname_has_any)==0)\n // dvcaction - post filterring\n and (eventresult==\"*\" or (DeviceAction==\"allow\" and eventresult==\"Success\") or (eventresult==\"Failure\"))\n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\n EventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\"\n , DstBytes=tolong(ReceivedBytes) \n , SrcBytes=tolong(SentBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.3\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n | extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n// Action post filtering\n| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Rule=NetworkRuleName,\n Dst=DstIpAddr,\n // Host=DstHostname,\n User=DstUsername,\n Duration=NetworkDuration,\n SessionId=NetworkSessionId,\n EventEndTime =EventStartTime,\n Src=SrcIpAddr\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/README.md new file mode 100644 index 00000000000..7261b58fba3 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/README.md @@ -0,0 +1,18 @@ +# Palo Alto Cortex Data Lake ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Palo Alto Cortex Data Lake. + +This ASIM parser supports normalizing NetworkSession logs from Palo Alto Cortex Data Lake to the ASIM NetworkSession normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionPaloAltoCortexDataLake%2FvimNetworkSessionPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionPaloAltoCortexDataLake%2FvimNetworkSessionPaloAltoCortexDataLake.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json new file mode 100644 index 00000000000..6b9cf286f13 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimNetworkSessionPaloAltoCortexDataLake", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n[\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n and (array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any))\n and (isnull(dstportnumber) or toint(DestinationPort) == dstportnumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend \n temp_is_MatchSrcHostname = PanOSSourceDeviceHost has_any (hostname_has_any),\n temp_is_MatchDstHostname = PanOSDestinationDeviceHost has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname,\n \"Both\",\n temp_is_MatchSrcHostname,\n \"SrcHostname\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n // post-filtering\n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n ),\n TcpFlagsFin = iff(Reason== \"tcp-fin\", true, false),\n TcpFlagsRst = iff(Reason in(\"tcp-rst-from-client\", \"tcp-rst-from-server\"), true, false)\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DstUserId = DestinationUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\", \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\", \"Other\",\n \"\")\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n temp*,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionPaloAltoCEF.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionPaloAltoCEF.yaml index 242a790c97e..588b573e37c 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionPaloAltoCEF.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionPaloAltoCEF.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM parser for Palo Alto PanOS - Version: '0.6' - LastUpdated: Dec 11, 2021 + Version: '0.7.1' + LastUpdated: Feb 19, 2024 Product: Name: Palo Alto PanOS Normalization: @@ -32,7 +32,11 @@ ParserQuery: | , "allow","Allow" , "deny","Deny" , "drop", "Drop" - , "drop ICMP", "Drop ICMP"]; + , "drop ICMP", "Drop ICMP" + , "reset-client","Reset Source" + , "reset-server","Reset Destination" + , "reset-both", "Reset" + , "drop-icmp", "Drop ICMP"]; let NWParser=(disabled:bool=false){ CommonSecurityLog | where not(disabled) | where DeviceVendor == "Palo Alto Networks" and DeviceProduct == "PAN-OS" and Activity == "TRAFFIC" diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionPaloAltoCEF.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionPaloAltoCEF.yaml index 35a07999de5..a152a24ca58 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionPaloAltoCEF.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionPaloAltoCEF.yaml @@ -1,7 +1,7 @@ Parser: Title: Network Session ASIM filtering parser for Palo Alto PanOS - Version: '0.7' - LastUpdated: Dec 11, 2021 + Version: '0.7.1' + LastUpdated: Feb 19, 2024 Product: Name: Palo Alto PanOS Normalization: @@ -55,11 +55,15 @@ ParserQuery: | let Actions=datatable(DeviceAction:string,DvcAction:string) [ "reset client","Reset Source" , "reset server","Reset Destination" - , "reset both", "Reset" + , "reset both", "Reset" , "allow","Allow" , "deny","Deny" , "drop", "Drop" - , "drop ICMP", "Drop ICMP"]; + , "drop ICMP", "Drop ICMP" + , "reset-client","Reset Source" + , "reset-server","Reset Destination" + , "reset-both", "Reset" + , "drop-icmp", "Drop ICMP"]; let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){