From dd6cd9b57d6bb01fe404b8e3f488da14988b8ebe Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:00:43 +0200 Subject: [PATCH] Removing EventResultsDetails and HttpStatusCode. --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 15c471e5c8b..c02bae1c304 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -52,10 +52,9 @@ ParserQuery: | | where DeviceVendor == "Fortinet" and DeviceProduct startswith "Fortigate" and Activity has_all ('webfilter', 'utm') - | extend - EventResultDetails = "NA" + //| extend EventResultDetails = "NA" // HTTP response codes are not included in Fortigate logs. | lookup EventLookup on DeviceAction - | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol + | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol | project-rename Url = RequestURL , UrlCategory = RequestContext @@ -121,8 +120,8 @@ ParserQuery: | temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), - HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent), - HttpStatusCode = EventResultDetails + HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) + //HttpStatusCode = EventResultDetails // HTTP response codes are not included in Fortigate logs. | project-away temp_* | extend EventCount = int(1)